OWASP Top 10 for LLM Applications

Manipulating LLMs through crafted inputs to cause unintended actions — bypassing safety filters, exfiltrating data, or executing unauthorized commands.

LLMs may reveal confidential data through their outputs — training data memorization, PII leakage, proprietary information, or system prompt exposure.

Risks from compromised training data, pre-trained models, plugins, and third-party components used in LLM applications.

Manipulation of training data or fine-tuning processes to introduce vulnerabilities, backdoors, or biases into the model.

Failing to validate, sanitize, or safely handle LLM outputs before passing them to downstream components — enabling XSS, SSRF, SSTI, and code injection.

Granting LLMs too many capabilities, permissions, or autonomy — allowing them to take harmful actions based on unexpected or manipulated outputs.

Exposure of system prompts that contain sensitive information, business logic, or security controls that attackers can use to bypass safeguards.

Vulnerabilities in the generation, storage, and retrieval of vector embeddings used in RAG systems, leading to data leakage, poisoning, or unauthorized access.

LLMs generating false, misleading, or fabricated information (hallucinations) that users trust and act upon, leading to real-world harm.

LLM applications that allow uncontrolled resource consumption — leading to denial of service, excessive costs, or model theft through repeated API calls.