Fetching from the wire…
Public story · 2026-07-10 · high
The paper argues that securing an agent requires reasoning over page structure, the same structure an attacker controls, so per-task policies fail.
Why now: Prismata is drawing notice as the most actionable web-agent security paper of the last 48 hours, as more products ship agents that browse the open web instead of a closed corpus.
A new paper called Prismata treats AI web-agent prompt injection as a strain of cross-site scripting, per arXiv 2607.08147.
Its claim: mixing trusted and untrusted page content, then letting the model act on it, revives a bug class security spent fifteen years closing. That's the exposure for any product letting an agent read pages it doesn't control.
The sharper problem, per the paper: a security policy has to reason over the page's structure to work at all. It needs to be tight enough to block bad instructions and loose enough to let the agent finish its task. That structure is exactly what the attacker controls, so rewriting the page rewrites the policy meant to constrain it.
Prompt engineering doesn't close this gap. The fix is the one that ended XSS: a hard boundary between rendered content and executable instructions, enforced outside the model, not requested of it. Any agent framework still asking the LLM to police that boundary itself is betting it can out-reason whoever edited the page last. I wouldn't take that bet.
Each link below shares sources, entities, or timing with this story.
Shared entity: Most / Shared topic / Earlier coverage
Both cover Most; overlapping topics (actionable, agent, security); earlier Most coverage from 2026-02-28.
Both cover Most; overlapping topics (actionable, agent, control); earlier Most coverage from 2026-02-24.
Shared entity: Most / Same source domain / Earlier coverage
Both cover Most; reported by the same outlet (arxiv.org); earlier Most coverage from 2026-06-26.
Both cover Most; reported by the same outlet (arxiv.org); earlier Most coverage from 2026-06-20.