Between May 4 and May 6, 2026, NVD published four CVEs against AI/agent projects. Different teams, different codebases, four review processes — and one defect class. The shape: an LLM produces output, the application drops that output into a privileged execution sink — SQL engine, Python interpreter, shell, browser DOM — without re-validation, and the sink runs it. This is OWASP's LLM05: Improper Output Handling. It is distinct from LLM01: Prompt Injection precisely because the failure mode is downstream of the model. The user's prompt isn't malicious. The user asks for a SQL query and gets a SQL query. The model didn't go rogue. The application failed to treat the model's output as untrusted. Why this matters for how you allocate AI security spend A guardrail product tuned to detect malicious prompts produces zero alerts on these four CVEs. There is no jailbreak. There is no prompt injection.…