Fetching from the wire…
Public story · 2026-07-17 · high
OWASP ranks prompt injection the top LLM threat, and Axis Intelligence reproduced 47 confirmed attack vectors across six production models in 2026.
Why now: The July 17 roundup pairs Axis Intelligence's lab result with OWASP's ranking, giving agent builders a concrete number to check their own tool-calling code against.
Tool-input injection breaks six production LLMs 84% of the time, per Axis Intelligence's 2026 vulnerability tracker. The tracker reproduced 47 confirmed attack vectors across those models, and tool-input injection is the highest-impact category none of them patch cleanly.
The distinction matters: this isn't someone typing a jailbreak into a chat box. It's an attacker hiding instructions in a web page, a file, or an API response that the agent reads like a user prompt. Axis Intelligence's tracker says that trick works 84% of the time.
OWASP's own list backs the shape of the problem, if not the number. The organization ranks prompt injection the top LLM threat, with reported incidents up 340% year over year. OWASP doesn't break its ranking down by attack vector. Axis Intelligence's tracker does, and it points at tool results specifically, not the prompt box most defenses are built to watch.
Most agent frameworks still don't separate what the user typed from what a tool call returned. Every retrieval call, search result, and API response is a place an attacker can hide instructions. Axis Intelligence found six production models will follow those instructions 84% of the time.
Each link below shares sources, entities, or timing with this story.
Simon Willison released LLM / Shared entity: OWASP / Shared topic / Earlier coverage
Linked by a graph relationship (Simon Willison released LLM); both cover OWASP; overlapping topics (agent, tool).
Linked by a graph relationship (Simon Willison released LLM); both cover OWASP; overlapping topics (attack, injection).
Simon Willison released LLM / Shared entity: LLM / Shared topic / Earlier coverage
Linked by a graph relationship (Simon Willison released LLM); both cover LLM; overlapping topics (agent, tool).
Simon Willison released LLM / Shared entity: LLM / Earlier coverage / Tension
Linked by a graph relationship (Simon Willison released LLM); both cover LLM; earlier LLM coverage from 2026-06-19.
Linked by a graph relationship (Simon Willison released LLM); both cover LLM; earlier LLM coverage from 2026-06-18.
Simon Willison released LLM / Shared entity: LLMs / Earlier coverage / Tension
Linked by a graph relationship (Simon Willison released LLM); both cover LLMs; earlier LLMs coverage from 2026-03-23.
OWASP released MCP / Shared entities / Shared topic / Earlier coverage
Linked by a graph relationship (OWASP released MCP); both cover LLMs, OWASP; overlapping topics (agent, already, attack, injection, prompt).
LLM uses OpenAI / Shared entity: LLM / Earlier coverage
Linked by a graph relationship (LLM uses OpenAI); both cover LLM; earlier LLM coverage from 2026-06-19.