INDIRECT INJECTION
(5)5 hack(s).
IterInject: when an LLM optimiser writes its own indirect prompt injections
A May 23, 2026 paper closes the loop between payload, diagnoser and LLM optimiser — lifting indirect-injection ASR from near-zero to 33–90% on InjecAgent and compromising 5 of 9 Claude Code targets.
GrafanaGhost: indirect prompt injection chained with a URL-parse bug to exfiltrate dashboard data
Noma Security's April 7, 2026 disclosure shows how three modest defects — a stored injection point, a startsWith('/') URL check, and a one-word guardrail bypass — combine into a silent exfiltration path through Grafana's AI assistant.
Discourse AI XSS (CVE-2026-27740): when LLM output is trusted as HTML
A flagged post, an AI moderator, an htmlSafe call. The Discourse AI plugin treated LLM output as trusted markup, turning indirect prompt injection into Staff-side XSS. Published March 19, 2026.
Indirect prompt injection in the wild: three April 2026 studies converge
Google, Forcepoint and CISPA independently measured indirect prompt injection across the open web in April 2026. The picture: 15K+ validated payloads, 32% growth, organized templates.
ShareLeak (CVE-2026-21520): the first CVE Microsoft assigned to a Copilot prompt injection
Disclosed April 15, 2026, Capsule Security's ShareLeak write-up details an indirect prompt injection in Microsoft Copilot Studio. Microsoft assigned CVE-2026-21520 (CVSS 7.5) — an unusual industry first that reframes prompt injection as a tracked vulnerability class.