XSS from LLM output steals session cookies or auth tokens. Attacker gains full access to the victim’s account without knowing their password.

SQL injection via LLM-generated queries dumps database tables. Customer records, credentials, financial data — all at risk.

LLM-generated code executed by the host gives the attacker a shell. CVSS 9.8 vulnerabilities in LangChain and Vanna.AI both demonstrated this.

A breach caused by missing output sanitization can trigger GDPR fines, SEC disclosures, and customer-facing liability — especially if PII was exposed.