{"id":"https://openalex.org/W7164525138","doi":"https://doi.org/10.48550/arxiv.2606.13385","title":"Who Pays the Price? Stakeholder-Centric Prompt Injection Benchmarking for Real-world Web Agents","display_name":"Who Pays the Price? Stakeholder-Centric Prompt Injection Benchmarking for Real-world Web Agents","publication_year":2026,"publication_date":"2026-06-11","ids":{"openalex":"https://openalex.org/W7164525138","doi":"https://doi.org/10.48550/arxiv.2606.13385"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2606.13385","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2606.13385","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Preprint"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2606.13385","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5138527160","display_name":"Zihao Wang","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Wang, Zihao","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5138529828","display_name":"Yiming Li","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Li, Yiming","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5138488218","display_name":"Yutong Wu","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Wu, Yutong","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5101507289","display_name":"Zheyu Liu","orcid":"https://orcid.org/0000-0002-1696-6980"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Liu, Zheyu","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5002393832","display_name":"Kangjie Chen","orcid":"https://orcid.org/0009-0007-2454-4976"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Chen, Kangjie","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5012357758","display_name":"Fok Kar Wai","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Wai, Fok Kar","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5138522588","display_name":"Pin-Yu Chen","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Chen, Pin-Yu","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5040321131","display_name":"Vrizlynn L. L. Thing","orcid":"https://orcid.org/0000-0003-4424-8596"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Thing, Vrizlynn L. L.","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5138505252","display_name":"Bo Li","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Li, Bo","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5138511350","display_name":"Dacheng Tao","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Tao, Dacheng","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5138484780","display_name":"Tianwei Zhang","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Zhang, Tianwei","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":0,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.24860000610351562,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.24860000610351562,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.1371999979019165,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11644","display_name":"Spam and Phishing Detection","score":0.11429999768733978,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/exploit","display_name":"Exploit","score":0.7796000242233276},{"id":"https://openalex.org/keywords/adversarial-system","display_name":"Adversarial system","score":0.7217000126838684},{"id":"https://openalex.org/keywords/benchmarking","display_name":"Benchmarking","score":0.6696000099182129},{"id":"https://openalex.org/keywords/benchmark","display_name":"Benchmark (surveying)","score":0.642799973487854},{"id":"https://openalex.org/keywords/task","display_name":"Task (project management)","score":0.5561000108718872},{"id":"https://openalex.org/keywords/web-application","display_name":"Web application","score":0.4636000096797943},{"id":"https://openalex.org/keywords/harm","display_name":"Harm","score":0.446399986743927},{"id":"https://openalex.org/keywords/categorization","display_name":"Categorization","score":0.3921999931335449}],"concepts":[{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.7796000242233276},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7386000156402588},{"id":"https://openalex.org/C37736160","wikidata":"https://www.wikidata.org/wiki/Q1801315","display_name":"Adversarial system","level":2,"score":0.7217000126838684},{"id":"https://openalex.org/C86251818","wikidata":"https://www.wikidata.org/wiki/Q816754","display_name":"Benchmarking","level":2,"score":0.6696000099182129},{"id":"https://openalex.org/C185798385","wikidata":"https://www.wikidata.org/wiki/Q1161707","display_name":"Benchmark (surveying)","level":2,"score":0.642799973487854},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.6166999936103821},{"id":"https://openalex.org/C2780451532","wikidata":"https://www.wikidata.org/wiki/Q759676","display_name":"Task (project management)","level":2,"score":0.5561000108718872},{"id":"https://openalex.org/C118643609","wikidata":"https://www.wikidata.org/wiki/Q189210","display_name":"Web application","level":2,"score":0.4636000096797943},{"id":"https://openalex.org/C2777363581","wikidata":"https://www.wikidata.org/wiki/Q15098235","display_name":"Harm","level":2,"score":0.446399986743927},{"id":"https://openalex.org/C94124525","wikidata":"https://www.wikidata.org/wiki/Q912550","display_name":"Categorization","level":2,"score":0.3921999931335449},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.3433000147342682},{"id":"https://openalex.org/C184337299","wikidata":"https://www.wikidata.org/wiki/Q1437428","display_name":"Semantics (computer science)","level":2,"score":0.33799999952316284},{"id":"https://openalex.org/C65856478","wikidata":"https://www.wikidata.org/wiki/Q3991682","display_name":"Attack model","level":2,"score":0.3334999978542328},{"id":"https://openalex.org/C35578498","wikidata":"https://www.wikidata.org/wiki/Q193424","display_name":"Web service","level":2,"score":0.30730000138282776},{"id":"https://openalex.org/C41550386","wikidata":"https://www.wikidata.org/wiki/Q529909","display_name":"Multi-agent system","level":2,"score":0.28439998626708984},{"id":"https://openalex.org/C97200028","wikidata":"https://www.wikidata.org/wiki/Q1196135","display_name":"Web engineering","level":5,"score":0.2775999903678894},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.26489999890327454},{"id":"https://openalex.org/C112930515","wikidata":"https://www.wikidata.org/wiki/Q4389547","display_name":"Risk analysis (engineering)","level":1,"score":0.26339998841285706},{"id":"https://openalex.org/C59241245","wikidata":"https://www.wikidata.org/wiki/Q4781497","display_name":"Web application security","level":4,"score":0.25940001010894775},{"id":"https://openalex.org/C165136773","wikidata":"https://www.wikidata.org/wiki/Q1363179","display_name":"Single point of failure","level":2,"score":0.2547000050544739}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2606.13385","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2606.13385","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"Preprint"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2606.13385","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2606.13385","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Preprint"},"sustainable_development_goals":[{"score":0.7687976360321045,"id":"https://metadata.un.org/sdg/16","display_name":"Peace, Justice and strong institutions"}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Web":[0],"agents":[1,217],"driven":[2],"by":[3,161,206],"large":[4],"language":[5],"models":[6],"(LLMs)":[7],"are":[8,204],"increasingly":[9],"deployed":[10],"in":[11,34,116,218],"real-world":[12,117,219],"environments,":[13],"where":[14],"they":[15],"operate":[16],"over":[17],"untrusted":[18],"web":[19,118],"content":[20,38],"and":[21,85,113,136,143,150,164,191,197],"execute":[22],"actions":[23],"with":[24,140],"direct":[25],"consequences.":[26],"This":[27],"makes":[28],"them":[29],"vulnerable":[30],"to":[31,110,183],"prompt-injection":[32,71],"attacks,":[33],"which":[35],"seemingly":[36],"benign":[37],"embeds":[39],"adversarial":[40,195],"instructions":[41],"that":[42],"manipulate":[43],"agent":[44,119],"behaviour.":[45],"Existing":[46],"security":[47],"benchmarks":[48],"adopt":[49],"an":[50],"\\textit{attack-centric}":[51],"perspective,":[52],"focusing":[53],"on":[54,96],"the":[55,62,86,131,179,210],"technical":[56],"feasibility":[57],"of":[58,65,215],"injections":[59],"while":[60],"overlooking":[61],"nuanced":[63],"distribution":[64],"resulting":[66],"harms.":[67],"In":[68],"practice,":[69],"however,":[70],"risk":[72],"is":[73,158,222],"victim-dependent:":[74],"a":[75,107,154],"single":[76,155],"exploit":[77],"can":[78],"produce":[79],"asymmetric":[80],"consequences":[81],"for":[82,212],"different":[83,93],"stakeholders,":[84],"same":[87],"attack":[88,156,189],"pattern":[89],"may":[90],"exhibit":[91],"substantially":[92],"effectiveness":[94],"depending":[95],"whom":[97],"it":[98],"targets.":[99],"To":[100],"capture":[101],"these":[102],"properties,":[103],"we":[104],"introduce":[105],"\\textbf{\\sysname},":[106],"\\textit{stakeholder-centric}":[108],"benchmark":[109],"systematically":[111],"categorize":[112],"attribute":[114],"harm":[115],"systems.":[120],"It":[121],"distinguishes":[122],"between":[123],"affected":[124],"entities":[125],"(e.g.,":[126],"user,":[127],"seller,":[128],"platform),":[129],"decomposes":[130],"attacks":[132],"into":[133],"concrete":[134],"objectives,":[135],"evaluates":[137],"each":[138],"case":[139],"complementary":[141],"outcome-":[142],"process-level":[144],"metrics.":[145],"Our":[146],"results":[147],"reveal":[148],"substantial":[149],"heterogeneous":[151],"vulnerabilities:":[152],"not":[153],"objective":[157,196],"reliably":[159],"resisted":[160],"current":[162],"agents,":[163],"failures":[165],"distribute":[166],"across":[167],"qualitatively":[168],"distinct":[169],"modes":[170],"ranging":[171],"from":[172],"\\emph{stealthy":[173],"parasitism}":[174],"(attack":[175],"succeeds":[176],"without":[177,188],"disrupting":[178],"user's":[180],"delegated":[181],"task)":[182],"\\emph{misaligned":[184],"disruption}":[185],"(task":[186],"disrupted":[187],"success)":[190],"\\emph{compounded":[192],"failure}":[193],"(both":[194],"task":[198],"integrity":[199],"simultaneously":[200],"violated).":[201],"These":[202],"patterns":[203],"missed":[205],"conventional":[207],"evaluation,":[208],"highlighting":[209],"need":[211],"stakeholder-aware":[213],"assessment":[214],"LLM-based":[216],"deployments.":[220],"Benchmark":[221],"available":[223],"at":[224],"https://github.com/StakeBench/SBC.":[225]},"counts_by_year":[],"updated_date":"2026-07-01T06:00:48.157686","created_date":"2026-06-13T00:00:00"}
