Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/langflow@1.0.9
Typepypi
Namespace
Namelangflow
Version1.0.9
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
0
url VCID-1s44-7dfe-c7bq
vulnerability_id VCID-1s44-7dfe-c7bq
summary
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-9277
reference_id
reference_type
scores
0
value 0.0017
scoring_system epss
scoring_elements 0.37955
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-9277
1
reference_url https://github.com/langflow-ai/langflow
reference_id
reference_type
scores
0
value 3.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow
2
reference_url https://github.com/langflow-ai/langflow/blob/main/src/backend/base/langflow/interface/utils.py#L65
reference_id
reference_type
scores
0
value 3.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow/blob/main/src/backend/base/langflow/interface/utils.py#L65
3
reference_url https://rumbling-slice-eb0.notion.site/Remote-Redos-in-https-github-com-langflow-ai-langflow-067159ced0d5494e91b06071384969c4?pvs=4
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv2
scoring_elements AV:A/AC:M/Au:S/C:N/I:N/A:P
1
value 3.5
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
2
value 3.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
3
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-27T15:01:06Z/
url https://rumbling-slice-eb0.notion.site/Remote-Redos-in-https-github-com-langflow-ai-langflow-067159ced0d5494e91b06071384969c4?pvs=4
4
reference_url https://vuldb.com/?ctiid.278659
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv2
scoring_elements AV:A/AC:M/Au:S/C:N/I:N/A:P
1
value 3.5
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
2
value 3.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
3
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-27T15:01:06Z/
url https://vuldb.com/?ctiid.278659
5
reference_url https://vuldb.com/?id.278659
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv2
scoring_elements AV:A/AC:M/Au:S/C:N/I:N/A:P
1
value 3.5
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
2
value 3.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
3
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-27T15:01:06Z/
url https://vuldb.com/?id.278659
6
reference_url https://vuldb.com/?submit.410043
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv2
scoring_elements AV:A/AC:M/Au:S/C:N/I:N/A:P
1
value 3.5
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
2
value 3.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
3
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-27T15:01:06Z/
url https://vuldb.com/?submit.410043
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-9277
reference_id CVE-2024-9277
reference_type
scores
0
value 3.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-9277
8
reference_url https://github.com/advisories/GHSA-355v-2rjx-fpx7
reference_id GHSA-355v-2rjx-fpx7
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-355v-2rjx-fpx7
fixed_packages
aliases CVE-2024-9277, GHSA-355v-2rjx-fpx7
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1s44-7dfe-c7bq
1
url VCID-22hm-534x-fyed
vulnerability_id VCID-22hm-534x-fyed
summary Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.9.0, the Agentic Assistant feature in Langflow executes LLM-generated Python code during its validation phase. Although this phase appears intended to validate generated component code, the implementation reaches dynamic execution sinks and instantiates the generated class server-side. In deployments where an attacker can access the Agentic Assistant feature and influence the model output, this can result in arbitrary server-side Python execution. Version 1.9.0 fixes the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33873
reference_id
reference_type
scores
0
value 0.00056
scoring_system epss
scoring_elements 0.17815
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33873
1
reference_url https://github.com/langflow-ai/langflow
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow
2
reference_url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/api/router.py#L252-L297
reference_id
reference_type
scores
0
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/
url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/api/router.py#L252-L297
3
reference_url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/api/schemas.py#L20-L31
reference_id
reference_type
scores
0
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/
url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/api/schemas.py#L20-L31
4
reference_url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/helpers/code_extraction.py#L11-L53
reference_id
reference_type
scores
0
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/
url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/helpers/code_extraction.py#L11-L53
5
reference_url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/helpers/validation.py#L27-L47
reference_id
reference_type
scores
0
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/
url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/helpers/validation.py#L27-L47
6
reference_url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/services/assistant_service.py#L142-L156
reference_id
reference_type
scores
0
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/
url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/services/assistant_service.py#L142-L156
7
reference_url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/services/assistant_service.py#L259-L300
reference_id
reference_type
scores
0
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/
url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/services/assistant_service.py#L259-L300
8
reference_url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/services/assistant_service.py#L58-L79
reference_id
reference_type
scores
0
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/
url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/services/assistant_service.py#L58-L79
9
reference_url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/api/utils/core.py#L38
reference_id
reference_type
scores
0
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/
url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/api/utils/core.py#L38
10
reference_url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/api/v1/login.py#L96-L135
reference_id
reference_type
scores
0
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/
url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/api/v1/login.py#L96-L135
11
reference_url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/services/auth/utils.py#L156-L163
reference_id
reference_type
scores
0
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/
url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/services/auth/utils.py#L156-L163
12
reference_url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/services/auth/utils.py#L39-L53
reference_id
reference_type
scores
0
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/
url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/services/auth/utils.py#L39-L53
13
reference_url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/lfx/src/lfx/custom/validate.py#L241-L272
reference_id
reference_type
scores
0
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/
url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/lfx/src/lfx/custom/validate.py#L241-L272
14
reference_url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/lfx/src/lfx/custom/validate.py#L394-L399
reference_id
reference_type
scores
0
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/
url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/lfx/src/lfx/custom/validate.py#L394-L399
15
reference_url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/lfx/src/lfx/custom/validate.py#L441-L443
reference_id
reference_type
scores
0
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/
url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/lfx/src/lfx/custom/validate.py#L441-L443
16
reference_url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/lfx/src/lfx/services/settings/auth.py#L71-L87
reference_id
reference_type
scores
0
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/
url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/lfx/src/lfx/services/settings/auth.py#L71-L87
17
reference_url https://github.com/langflow-ai/langflow/security/advisories/GHSA-v8hw-mh8c-jxfc
reference_id
reference_type
scores
0
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/
url https://github.com/langflow-ai/langflow/security/advisories/GHSA-v8hw-mh8c-jxfc
18
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33873
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33873
19
reference_url https://github.com/advisories/GHSA-v8hw-mh8c-jxfc
reference_id GHSA-v8hw-mh8c-jxfc
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-v8hw-mh8c-jxfc
fixed_packages
0
url pkg:pypi/langflow@1.9.0
purl pkg:pypi/langflow@1.9.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3kr1-vtdc-43hb
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.9.0
aliases CVE-2026-33873, GHSA-v8hw-mh8c-jxfc, PYSEC-2026-82
risk_score 4.5
exploitability 0.5
weighted_severity 8.9
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-22hm-534x-fyed
2
url VCID-3kr1-vtdc-43hb
vulnerability_id VCID-3kr1-vtdc-43hb
summary
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-6598
reference_id
reference_type
scores
0
value 0.00014
scoring_system epss
scoring_elements 0.0303
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-6598
1
reference_url https://gist.github.com/chenhouser2025/77adb3486c06c635ae4b09a3eaf90213
reference_id
reference_type
scores
0
value 4
scoring_system cvssv2
scoring_elements AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR
1
value 4.3
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
2
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
3
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
5
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
6
value LOW
scoring_system generic_textual
scoring_elements
7
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T16:19:05Z/
url https://gist.github.com/chenhouser2025/77adb3486c06c635ae4b09a3eaf90213
2
reference_url https://github.com/langflow-ai/langflow
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow
3
reference_url https://github.com/langflow-ai/langflow/commit/45325f6376309a91f5017fa033a96c09c7e295e3
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow/commit/45325f6376309a91f5017fa033a96c09c7e295e3
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-6598
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
2
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-6598
5
reference_url https://vuldb.com/submit/791921
reference_id
reference_type
scores
0
value 4
scoring_system cvssv2
scoring_elements AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR
1
value 4.3
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
2
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
3
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
5
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
6
value LOW
scoring_system generic_textual
scoring_elements
7
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T16:19:05Z/
url https://vuldb.com/submit/791921
6
reference_url https://vuldb.com/vuln/358233
reference_id
reference_type
scores
0
value 4
scoring_system cvssv2
scoring_elements AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR
1
value 4.3
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
2
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
3
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
5
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
6
value LOW
scoring_system generic_textual
scoring_elements
7
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T16:19:05Z/
url https://vuldb.com/vuln/358233
7
reference_url https://vuldb.com/vuln/358233/cti
reference_id
reference_type
scores
0
value 4
scoring_system cvssv2
scoring_elements AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR
1
value 4.3
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
2
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
3
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
5
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
6
value LOW
scoring_system generic_textual
scoring_elements
7
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T16:19:05Z/
url https://vuldb.com/vuln/358233/cti
8
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*
reference_id cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*
9
reference_url https://github.com/advisories/GHSA-9jpj-cph8-w449
reference_id GHSA-9jpj-cph8-w449
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9jpj-cph8-w449
fixed_packages
0
url pkg:pypi/langflow@1.9.1
purl pkg:pypi/langflow@1.9.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.9.1
aliases CVE-2026-6598, GHSA-9jpj-cph8-w449
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3kr1-vtdc-43hb
3
url VCID-53es-gfv9-qugp
vulnerability_id VCID-53es-gfv9-qugp
summary 
Langflow affected by Remote Code Execution via validate_code() exec()
Langflow exec_globals Inclusion of Functionality from Untrusted Control Sphere Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the handling of the exec_globals parameter provided to the validate endpoint. The issue results from the inclusion of a resource from an untrusted control sphere. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27325.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-0770
reference_id
reference_type
scores
0
value 0.14653
scoring_system epss
scoring_elements 0.9459
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-0770
1
reference_url https://github.com/langflow-ai/langflow
reference_id
reference_type
scores
0
value 8.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow
2
reference_url https://www.zerodayinitiative.com/advisories/ZDI-26-036
reference_id
reference_type
scores
0
value 8.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.zerodayinitiative.com/advisories/ZDI-26-036
3
reference_url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52597.py
reference_id CVE-2026-0770
reference_type exploit
scores
url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52597.py
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-0770
reference_id CVE-2026-0770
reference_type
scores
0
value 8.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-0770
5
reference_url https://github.com/affix/CVE-2026-0770-PoC
reference_id CVE-2026-0770-POC
reference_type
scores
0
value 8.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/affix/CVE-2026-0770-PoC
6
reference_url https://github.com/advisories/GHSA-g22f-v6f7-2hrh
reference_id GHSA-g22f-v6f7-2hrh
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-g22f-v6f7-2hrh
7
reference_url https://www.zerodayinitiative.com/advisories/ZDI-26-036/
reference_id ZDI-26-036
reference_type
scores
0
value 9.8
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-02-24T04:56:28Z/
url https://www.zerodayinitiative.com/advisories/ZDI-26-036/
fixed_packages
aliases CVE-2026-0770, GHSA-g22f-v6f7-2hrh
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-53es-gfv9-qugp
4
url VCID-5q3j-kw8n-3ufk
vulnerability_id VCID-5q3j-kw8n-3ufk
summary
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-57760
reference_id
reference_type
scores
0
value 0.00017
scoring_system epss
scoring_elements 0.04525
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-57760
1
reference_url https://github.com/langflow-ai/langflow
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow
2
reference_url https://github.com/langflow-ai/langflow/commit/c188ec113c9ca46154ad01d0eded1754cc6bef97
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-08-25T20:34:06Z/
url https://github.com/langflow-ai/langflow/commit/c188ec113c9ca46154ad01d0eded1754cc6bef97
3
reference_url https://github.com/langflow-ai/langflow/pull/9152
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow/pull/9152
4
reference_url https://github.com/langflow-ai/langflow/security/advisories/GHSA-4gv9-mp8m-592r
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-08-25T20:34:06Z/
url https://github.com/langflow-ai/langflow/security/advisories/GHSA-4gv9-mp8m-592r
5
reference_url http://github.com/langflow-ai/langflow/pull/9152
reference_id 9152
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-08-25T20:34:06Z/
url http://github.com/langflow-ai/langflow/pull/9152
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-57760
reference_id CVE-2025-57760
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2025-57760
7
reference_url https://github.com/advisories/GHSA-4gv9-mp8m-592r
reference_id GHSA-4gv9-mp8m-592r
reference_type
scores
url https://github.com/advisories/GHSA-4gv9-mp8m-592r
fixed_packages
0
url pkg:pypi/langflow@1.5.1
purl pkg:pypi/langflow@1.5.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-22hm-534x-fyed
1
vulnerability VCID-3kr1-vtdc-43hb
2
vulnerability VCID-53es-gfv9-qugp
3
vulnerability VCID-9ant-8hr4-a7ak
4
vulnerability VCID-9vte-9ecr-quhw
5
vulnerability VCID-cf4w-2j9d-kqee
6
vulnerability VCID-dsgg-w6zh-5fek
7
vulnerability VCID-e43u-exka-akh6
8
vulnerability VCID-f48g-ys3e-kfbe
9
vulnerability VCID-hu3f-1d7m-qfaq
10
vulnerability VCID-quy8-3rhy-wufd
11
vulnerability VCID-rnzn-x922-vkav
12
vulnerability VCID-txxh-vg3y-qqe4
13
vulnerability VCID-uqbp-kmed-fyc8
14
vulnerability VCID-z1h6-t53p-77aj
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.5.1
aliases CVE-2025-57760, GHSA-4gv9-mp8m-592r
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5q3j-kw8n-3ufk
5
url VCID-9ant-8hr4-a7ak
vulnerability_id VCID-9ant-8hr4-a7ak
summary 
Langflow has Remote Code Execution in CSV Agent
The CSV Agent node in Langflow hardcodes `allow_dangerous_code=True`, which automatically exposes LangChain’s Python REPL tool (`python_repl_ast`). As a result, an attacker can execute arbitrary Python and OS commands on the server via prompt injection, leading to full Remote Code Execution (RCE).
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-27966
reference_id
reference_type
scores
0
value 0.37776
scoring_system epss
scoring_elements 0.9728
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-27966
1
reference_url https://github.com/langflow-ai/langflow
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow
2
reference_url https://github.com/langflow-ai/langflow/commit/d8c6480daa17b2f2af0b5470cdf5c3d28dc9e508
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-02-27T14:15:24Z/
url https://github.com/langflow-ai/langflow/commit/d8c6480daa17b2f2af0b5470cdf5c3d28dc9e508
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-27966
reference_id CVE-2026-27966
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-27966
4
reference_url https://github.com/advisories/GHSA-3645-fxcv-hqr4
reference_id GHSA-3645-fxcv-hqr4
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3645-fxcv-hqr4
5
reference_url https://github.com/langflow-ai/langflow/security/advisories/GHSA-3645-fxcv-hqr4
reference_id GHSA-3645-fxcv-hqr4
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-02-27T14:15:24Z/
url https://github.com/langflow-ai/langflow/security/advisories/GHSA-3645-fxcv-hqr4
fixed_packages
aliases CVE-2026-27966, GHSA-3645-fxcv-hqr4
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9ant-8hr4-a7ak
6
url VCID-9vte-9ecr-quhw
vulnerability_id VCID-9vte-9ecr-quhw
summary Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.1, in the download_profile_picture function of the /profile_pictures/{folder_name}/{file_name} endpoint, the folder_name and file_name parameters are not strictly filtered, which allows the secret_key to be read across directories. Version 1.7.1 contains a patch.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33497
reference_id
reference_type
scores
0
value 0.00041
scoring_system epss
scoring_elements 0.1267
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33497
1
reference_url https://github.com/langflow-ai/langflow
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow
2
reference_url https://github.com/langflow-ai/langflow/security/advisories/GHSA-ph9w-r52h-28p7
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:45:18Z/
url https://github.com/langflow-ai/langflow/security/advisories/GHSA-ph9w-r52h-28p7
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33497
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33497
4
reference_url https://github.com/advisories/GHSA-ph9w-r52h-28p7
reference_id GHSA-ph9w-r52h-28p7
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-ph9w-r52h-28p7
fixed_packages
0
url pkg:pypi/langflow@1.7.1
purl pkg:pypi/langflow@1.7.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-22hm-534x-fyed
1
vulnerability VCID-3kr1-vtdc-43hb
2
vulnerability VCID-53es-gfv9-qugp
3
vulnerability VCID-9ant-8hr4-a7ak
4
vulnerability VCID-cf4w-2j9d-kqee
5
vulnerability VCID-dsgg-w6zh-5fek
6
vulnerability VCID-e43u-exka-akh6
7
vulnerability VCID-f48g-ys3e-kfbe
8
vulnerability VCID-rnzn-x922-vkav
9
vulnerability VCID-z1h6-t53p-77aj
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.7.1
aliases CVE-2026-33497, GHSA-ph9w-r52h-28p7, PYSEC-2026-81
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9vte-9ecr-quhw
7
url VCID-cf4w-2j9d-kqee
vulnerability_id VCID-cf4w-2j9d-kqee
summary
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33017
reference_id
reference_type
scores
0
value 0.23981
scoring_system epss
scoring_elements 0.96127
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33017
1
reference_url https://github.com/advisories/GHSA-rvqx-wpfh-mfx7
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L
2
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:A
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value Act
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-26T03:55:25Z/
url https://github.com/advisories/GHSA-rvqx-wpfh-mfx7
2
reference_url https://github.com/langflow-ai/langflow
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:A
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow
3
reference_url https://github.com/langflow-ai/langflow/commit/73b6612e3ef25fdae0a752d75b0fabd47328d4f0
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L
2
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:A
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value Act
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-26T03:55:25Z/
url https://github.com/langflow-ai/langflow/commit/73b6612e3ef25fdae0a752d75b0fabd47328d4f0
4
reference_url https://github.com/langflow-ai/langflow/issues/12345
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:A
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow/issues/12345
5
reference_url https://github.com/langflow-ai/langflow/pull/12160
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:A
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow/pull/12160
6
reference_url https://github.com/langflow-ai/langflow/releases/tag/1.8.2
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:A
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow/releases/tag/1.8.2
7
reference_url https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L
3
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:A
4
value CRITICAL
scoring_system generic_textual
scoring_elements
5
value Act
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-26T03:55:25Z/
url https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx
8
reference_url https://medium.com/@aviral23/cve-2026-33017-how-i-found-an-unauthenticated-rce-in-langflow-by-reading-the-code-they-already-dc96cdce5896
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:A
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://medium.com/@aviral23/cve-2026-33017-how-i-found-an-unauthenticated-rce-in-langflow-by-reading-the-code-they-already-dc96cdce5896
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33017
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:A
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33017
10
reference_url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-33017
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:A
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-33017
11
reference_url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33017
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:A
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33017
12
reference_url https://www.sysdig.com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hours
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:A
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.sysdig.com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hours
13
reference_url https://github.com/advisories/GHSA-vwmf-pq79-vjvx
reference_id GHSA-vwmf-pq79-vjvx
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vwmf-pq79-vjvx
fixed_packages
aliases CVE-2026-33017, GHSA-vwmf-pq79-vjvx
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-cf4w-2j9d-kqee
8
url VCID-dsgg-w6zh-5fek
vulnerability_id VCID-dsgg-w6zh-5fek
summary Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the delete_api_key_route() endpoint accepts an api_key_id path parameter and deletes it with only a generic authentication check (get_current_active_user dependency). However, the delete_api_key() CRUD function does NOT verify that the API key belongs to the current user before deletion.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33053
reference_id
reference_type
scores
0
value 0.00057
scoring_system epss
scoring_elements 0.18118
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33053
1
reference_url https://github.com/langflow-ai/langflow
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow
2
reference_url https://github.com/langflow-ai/langflow/commit/fdc1b3b1448ff3317d73d3e769a6c4a1717f74d7
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow/commit/fdc1b3b1448ff3317d73d3e769a6c4a1717f74d7
3
reference_url https://github.com/langflow-ai/langflow/releases/tag/1.7.2
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow/releases/tag/1.7.2
4
reference_url https://github.com/langflow-ai/langflow/security/advisories/GHSA-rf6x-r45m-xv3w
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:L
3
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
4
value HIGH
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T16:22:42Z/
url https://github.com/langflow-ai/langflow/security/advisories/GHSA-rf6x-r45m-xv3w
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33053
reference_id CVE-2026-33053
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2026-33053
6
reference_url https://github.com/advisories/GHSA-rf6x-r45m-xv3w
reference_id GHSA-rf6x-r45m-xv3w
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-rf6x-r45m-xv3w
fixed_packages
0
url pkg:pypi/langflow@1.7.2
purl pkg:pypi/langflow@1.7.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-22hm-534x-fyed
1
vulnerability VCID-3kr1-vtdc-43hb
2
vulnerability VCID-53es-gfv9-qugp
3
vulnerability VCID-9ant-8hr4-a7ak
4
vulnerability VCID-cf4w-2j9d-kqee
5
vulnerability VCID-dsgg-w6zh-5fek
6
vulnerability VCID-e43u-exka-akh6
7
vulnerability VCID-f48g-ys3e-kfbe
8
vulnerability VCID-rnzn-x922-vkav
9
vulnerability VCID-z1h6-t53p-77aj
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.7.2
1
url pkg:pypi/langflow@1.9.0
purl pkg:pypi/langflow@1.9.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3kr1-vtdc-43hb
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.9.0
aliases CVE-2026-33053, GHSA-rf6x-r45m-xv3w, PYSEC-2026-78
risk_score 4.0
exploitability 0.5
weighted_severity 7.9
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dsgg-w6zh-5fek
9
url VCID-e43u-exka-akh6
vulnerability_id VCID-e43u-exka-akh6
summary
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-6597
reference_id
reference_type
scores
0
value 0.00011
scoring_system epss
scoring_elements 0.01574
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-6597
1
reference_url https://gist.github.com/chenhouser2025/b93261c6e651f14800a4f2e4365f357b
reference_id
reference_type
scores
0
value 3.3
scoring_system cvssv2
scoring_elements AV:N/AC:L/Au:M/C:P/I:N/A:N/E:POC/RL:ND/RC:UR
1
value 2.7
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
2
value 2.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
3
value 2.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
4
value 2.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
5
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
6
value LOW
scoring_system generic_textual
scoring_elements
7
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T11:42:17Z/
url https://gist.github.com/chenhouser2025/b93261c6e651f14800a4f2e4365f357b
2
reference_url https://github.com/langflow-ai/langflow
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
1
value 2.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-6597
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
1
value 2.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
2
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-6597
4
reference_url https://vuldb.com/submit/791920
reference_id
reference_type
scores
0
value 3.3
scoring_system cvssv2
scoring_elements AV:N/AC:L/Au:M/C:P/I:N/A:N/E:POC/RL:ND/RC:UR
1
value 2.7
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
2
value 2.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
3
value 2.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
4
value 2.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
5
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
6
value LOW
scoring_system generic_textual
scoring_elements
7
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T11:42:17Z/
url https://vuldb.com/submit/791920
5
reference_url https://vuldb.com/vuln/358232
reference_id
reference_type
scores
0
value 3.3
scoring_system cvssv2
scoring_elements AV:N/AC:L/Au:M/C:P/I:N/A:N/E:POC/RL:ND/RC:UR
1
value 2.7
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
2
value 2.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
3
value 2.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
4
value 2.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
5
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
6
value LOW
scoring_system generic_textual
scoring_elements
7
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T11:42:17Z/
url https://vuldb.com/vuln/358232
6
reference_url https://vuldb.com/vuln/358232/cti
reference_id
reference_type
scores
0
value 3.3
scoring_system cvssv2
scoring_elements AV:N/AC:L/Au:M/C:P/I:N/A:N/E:POC/RL:ND/RC:UR
1
value 2.7
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
2
value 2.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
3
value 2.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
4
value 2.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
5
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
6
value LOW
scoring_system generic_textual
scoring_elements
7
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T11:42:17Z/
url https://vuldb.com/vuln/358232/cti
7
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*
reference_id cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*
8
reference_url https://github.com/advisories/GHSA-5jjf-wcvf-923w
reference_id GHSA-5jjf-wcvf-923w
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-5jjf-wcvf-923w
fixed_packages
0
url pkg:pypi/langflow@1.8.4
purl pkg:pypi/langflow@1.8.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-22hm-534x-fyed
1
vulnerability VCID-3kr1-vtdc-43hb
2
vulnerability VCID-dsgg-w6zh-5fek
3
vulnerability VCID-meqh-b1cj-wqgd
4
vulnerability VCID-rnzn-x922-vkav
5
vulnerability VCID-z1h6-t53p-77aj
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.8.4
aliases CVE-2026-6597, GHSA-5jjf-wcvf-923w
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-e43u-exka-akh6
10
url VCID-f48g-ys3e-kfbe
vulnerability_id VCID-f48g-ys3e-kfbe
summary
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-6599
reference_id
reference_type
scores
0
value 0.00053
scoring_system epss
scoring_elements 0.16784
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-6599
1
reference_url https://gist.github.com/chenhouser2025/a909c47316b7a0948ee68c109ab747a3
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv2
scoring_elements AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:W/RC:UR
1
value 6.3
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:W/RC:R
2
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:W/RC:R
3
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
4
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
5
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
6
value LOW
scoring_system generic_textual
scoring_elements
7
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T14:24:29Z/
url https://gist.github.com/chenhouser2025/a909c47316b7a0948ee68c109ab747a3
2
reference_url https://github.com/langflow-ai/langflow
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
1
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-6599
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
1
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
2
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-6599
4
reference_url https://vuldb.com/submit/791922
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv2
scoring_elements AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:W/RC:UR
1
value 6.3
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:W/RC:R
2
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
3
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:W/RC:R
4
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
5
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
6
value LOW
scoring_system generic_textual
scoring_elements
7
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T14:24:29Z/
url https://vuldb.com/submit/791922
5
reference_url https://vuldb.com/vuln/358234
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv2
scoring_elements AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:W/RC:UR
1
value 6.3
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:W/RC:R
2
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:W/RC:R
3
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
4
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
5
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
6
value LOW
scoring_system generic_textual
scoring_elements
7
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T14:24:29Z/
url https://vuldb.com/vuln/358234
6
reference_url https://vuldb.com/vuln/358234/cti
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv2
scoring_elements AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:W/RC:UR
1
value 6.3
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:W/RC:R
2
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:W/RC:R
3
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
4
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
5
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
6
value LOW
scoring_system generic_textual
scoring_elements
7
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T14:24:29Z/
url https://vuldb.com/vuln/358234/cti
7
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*
reference_id cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*
8
reference_url https://github.com/advisories/GHSA-v66p-f7x3-4794
reference_id GHSA-v66p-f7x3-4794
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-v66p-f7x3-4794
fixed_packages
0
url pkg:pypi/langflow@1.8.4
purl pkg:pypi/langflow@1.8.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-22hm-534x-fyed
1
vulnerability VCID-3kr1-vtdc-43hb
2
vulnerability VCID-dsgg-w6zh-5fek
3
vulnerability VCID-meqh-b1cj-wqgd
4
vulnerability VCID-rnzn-x922-vkav
5
vulnerability VCID-z1h6-t53p-77aj
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.8.4
aliases CVE-2026-6599, GHSA-v66p-f7x3-4794
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-f48g-ys3e-kfbe
11
url VCID-h5t6-zh8q-nkhh
vulnerability_id VCID-h5t6-zh8q-nkhh
summary 
Langflow versions prior to 1.3.0 are susceptible to code injection in 
the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary
code.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-3248
reference_id
reference_type
scores
0
value 0.92556
scoring_system epss
scoring_elements 0.99752
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-3248
1
reference_url https://github.com/langflow-ai/langflow
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow
2
reference_url https://github.com/langflow-ai/langflow/commit/faac4db133de32fcb6d483fa9ff52f40ce42bdc0
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow/commit/faac4db133de32fcb6d483fa9ff52f40ce42bdc0
3
reference_url https://github.com/langflow-ai/langflow/pull/6911
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Act
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-08-15T19:50:13Z/
url https://github.com/langflow-ai/langflow/pull/6911
4
reference_url https://github.com/langflow-ai/langflow/releases/tag/1.3.0
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Act
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-08-15T19:50:13Z/
url https://github.com/langflow-ai/langflow/releases/tag/1.3.0
5
reference_url https://github.com/langflow-ai/langflow/security/advisories/GHSA-rvqx-wpfh-mfx7
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow/security/advisories/GHSA-rvqx-wpfh-mfx7
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-3248
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-3248
7
reference_url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-3248
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-3248
8
reference_url https://www.horizon3.ai/attack-research/disclosures/unsafe-at-any-speed-abusing-python-exec-for-unauth-rce-in-langflow-ai
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.horizon3.ai/attack-research/disclosures/unsafe-at-any-speed-abusing-python-exec-for-unauth-rce-in-langflow-ai
9
reference_url https://www.horizon3.ai/attack-research/disclosures/unsafe-at-any-speed-abusing-python-exec-for-unauth-rce-in-langflow-ai/
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value Act
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-08-15T19:50:13Z/
url https://www.horizon3.ai/attack-research/disclosures/unsafe-at-any-speed-abusing-python-exec-for-unauth-rce-in-langflow-ai/
10
reference_url https://www.vulncheck.com/advisories/langflow-unauthenticated-rce
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Act
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-08-15T19:50:13Z/
url https://www.vulncheck.com/advisories/langflow-unauthenticated-rce
11
reference_url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/remote/52262.txt
reference_id CVE-2025-3248
reference_type exploit
scores
url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/remote/52262.txt
12
reference_url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52364.py
reference_id CVE-2025-3248
reference_type exploit
scores
url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52364.py
fixed_packages
0
url pkg:pypi/langflow@1.3.0
purl pkg:pypi/langflow@1.3.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-22hm-534x-fyed
1
vulnerability VCID-3kr1-vtdc-43hb
2
vulnerability VCID-53es-gfv9-qugp
3
vulnerability VCID-5q3j-kw8n-3ufk
4
vulnerability VCID-9ant-8hr4-a7ak
5
vulnerability VCID-9vte-9ecr-quhw
6
vulnerability VCID-cf4w-2j9d-kqee
7
vulnerability VCID-dsgg-w6zh-5fek
8
vulnerability VCID-e43u-exka-akh6
9
vulnerability VCID-f48g-ys3e-kfbe
10
vulnerability VCID-hu3f-1d7m-qfaq
11
vulnerability VCID-p558-xn8f-mff1
12
vulnerability VCID-quy8-3rhy-wufd
13
vulnerability VCID-rnzn-x922-vkav
14
vulnerability VCID-txxh-vg3y-qqe4
15
vulnerability VCID-uqbp-kmed-fyc8
16
vulnerability VCID-z1h6-t53p-77aj
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.3.0
aliases CVE-2025-3248, GHSA-rvqx-wpfh-mfx7, PYSEC-2025-36
risk_score 10.0
exploitability 2.0
weighted_severity 8.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-h5t6-zh8q-nkhh
12
url VCID-hu3f-1d7m-qfaq
vulnerability_id VCID-hu3f-1d7m-qfaq
summary 
Langflow Missing Authentication on Critical API Endpoints
Multiple critical API endpoints in Langflow are missing authentication controls, allowing any unauthenticated user to access sensitive user conversation data, transaction histories, and perform destructive operations including message deletion. This affects endpoints handling personal data and system operations that should require proper authorization.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-21445
reference_id
reference_type
scores
0
value 0.11673
scoring_system epss
scoring_elements 0.93793
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-21445
1
reference_url https://github.com/langflow-ai/langflow
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow
2
reference_url https://github.com/langflow-ai/langflow/commit/3fed9fe1b5658f2c8656dbd73508e113a96e486a
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-01-06T04:55:18Z/
url https://github.com/langflow-ai/langflow/commit/3fed9fe1b5658f2c8656dbd73508e113a96e486a
3
reference_url https://github.com/langflow-ai/langflow/releases/tag/1.7.1
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow/releases/tag/1.7.1
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-21445
reference_id CVE-2026-21445
reference_type
scores
0
value 8.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-21445
5
reference_url https://github.com/advisories/GHSA-c5cp-vx83-jhqx
reference_id GHSA-c5cp-vx83-jhqx
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-c5cp-vx83-jhqx
6
reference_url https://github.com/langflow-ai/langflow/security/advisories/GHSA-c5cp-vx83-jhqx
reference_id GHSA-c5cp-vx83-jhqx
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 8.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-01-06T04:55:18Z/
url https://github.com/langflow-ai/langflow/security/advisories/GHSA-c5cp-vx83-jhqx
fixed_packages
0
url pkg:pypi/langflow@1.7.1
purl pkg:pypi/langflow@1.7.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-22hm-534x-fyed
1
vulnerability VCID-3kr1-vtdc-43hb
2
vulnerability VCID-53es-gfv9-qugp
3
vulnerability VCID-9ant-8hr4-a7ak
4
vulnerability VCID-cf4w-2j9d-kqee
5
vulnerability VCID-dsgg-w6zh-5fek
6
vulnerability VCID-e43u-exka-akh6
7
vulnerability VCID-f48g-ys3e-kfbe
8
vulnerability VCID-rnzn-x922-vkav
9
vulnerability VCID-z1h6-t53p-77aj
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.7.1
aliases CVE-2026-21445, GHSA-c5cp-vx83-jhqx
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hu3f-1d7m-qfaq
13
url VCID-p558-xn8f-mff1
vulnerability_id VCID-p558-xn8f-mff1
summary
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34046
reference_id
reference_type
scores
0
value 0.00034
scoring_system epss
scoring_elements 0.10597
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34046
1
reference_url https://github.com/langflow-ai/langflow
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow
2
reference_url https://github.com/langflow-ai/langflow/pull/8956
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T13:57:05Z/
url https://github.com/langflow-ai/langflow/pull/8956
3
reference_url https://github.com/langflow-ai/langflow/security/advisories/GHSA-8c4j-f57c-35cf
reference_id
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T13:57:05Z/
url https://github.com/langflow-ai/langflow/security/advisories/GHSA-8c4j-f57c-35cf
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34046
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34046
5
reference_url https://github.com/advisories/GHSA-8c4j-f57c-35cf
reference_id GHSA-8c4j-f57c-35cf
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8c4j-f57c-35cf
fixed_packages
0
url pkg:pypi/langflow@1.5.1
purl pkg:pypi/langflow@1.5.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-22hm-534x-fyed
1
vulnerability VCID-3kr1-vtdc-43hb
2
vulnerability VCID-53es-gfv9-qugp
3
vulnerability VCID-9ant-8hr4-a7ak
4
vulnerability VCID-9vte-9ecr-quhw
5
vulnerability VCID-cf4w-2j9d-kqee
6
vulnerability VCID-dsgg-w6zh-5fek
7
vulnerability VCID-e43u-exka-akh6
8
vulnerability VCID-f48g-ys3e-kfbe
9
vulnerability VCID-hu3f-1d7m-qfaq
10
vulnerability VCID-quy8-3rhy-wufd
11
vulnerability VCID-rnzn-x922-vkav
12
vulnerability VCID-txxh-vg3y-qqe4
13
vulnerability VCID-uqbp-kmed-fyc8
14
vulnerability VCID-z1h6-t53p-77aj
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.5.1
aliases CVE-2026-34046, GHSA-8c4j-f57c-35cf
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-p558-xn8f-mff1
14
url VCID-quy8-3rhy-wufd
vulnerability_id VCID-quy8-3rhy-wufd
summary Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0, if an arbitrary path is specified in the request body's `fs_path`, the server serializes the Flow object into JSON and creates/overwrites a file at that path. There is no path restriction, normalization, or allowed directory enforcement, so absolute paths (e.g., /etc/poc.txt) are interpreted as is. Version 1.7.0 fixes the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-68478
reference_id
reference_type
scores
0
value 0.00034
scoring_system epss
scoring_elements 0.10592
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-68478
1
reference_url https://github.com/langflow-ai/langflow
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow
2
reference_url https://github.com/langflow-ai/langflow/security/advisories/GHSA-f43r-cc68-gpx4
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-19T17:23:19Z/
url https://github.com/langflow-ai/langflow/security/advisories/GHSA-f43r-cc68-gpx4
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-68478
reference_id CVE-2025-68478
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-68478
4
reference_url https://github.com/advisories/GHSA-f43r-cc68-gpx4
reference_id GHSA-f43r-cc68-gpx4
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-f43r-cc68-gpx4
fixed_packages
0
url pkg:pypi/langflow@1.7.0
purl pkg:pypi/langflow@1.7.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-22hm-534x-fyed
1
vulnerability VCID-3kr1-vtdc-43hb
2
vulnerability VCID-53es-gfv9-qugp
3
vulnerability VCID-9ant-8hr4-a7ak
4
vulnerability VCID-9vte-9ecr-quhw
5
vulnerability VCID-cf4w-2j9d-kqee
6
vulnerability VCID-dsgg-w6zh-5fek
7
vulnerability VCID-e43u-exka-akh6
8
vulnerability VCID-f48g-ys3e-kfbe
9
vulnerability VCID-hu3f-1d7m-qfaq
10
vulnerability VCID-quy8-3rhy-wufd
11
vulnerability VCID-rnzn-x922-vkav
12
vulnerability VCID-txxh-vg3y-qqe4
13
vulnerability VCID-z1h6-t53p-77aj
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.7.0
1
url pkg:pypi/langflow@1.7.1
purl pkg:pypi/langflow@1.7.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-22hm-534x-fyed
1
vulnerability VCID-3kr1-vtdc-43hb
2
vulnerability VCID-53es-gfv9-qugp
3
vulnerability VCID-9ant-8hr4-a7ak
4
vulnerability VCID-cf4w-2j9d-kqee
5
vulnerability VCID-dsgg-w6zh-5fek
6
vulnerability VCID-e43u-exka-akh6
7
vulnerability VCID-f48g-ys3e-kfbe
8
vulnerability VCID-rnzn-x922-vkav
9
vulnerability VCID-z1h6-t53p-77aj
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.7.1
aliases CVE-2025-68478, GHSA-f43r-cc68-gpx4, PYSEC-2025-125
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-quy8-3rhy-wufd
15
url VCID-txxh-vg3y-qqe4
vulnerability_id VCID-txxh-vg3y-qqe4
summary 
Langflow vulnerable to Server-Side Request Forgery
**Vulnerability Overview**


Langflow provides an API Request component that can issue arbitrary HTTP requests within a flow. This component takes a user-supplied URL, performs only normalization and basic format checks, and then sends the request using a server-side httpx client. It does not block private IP ranges (127.0.0.1, the 10/172/192 ranges) or cloud metadata endpoints (169.254.169.254), and it returns the response body as the result.

Because the flow execution endpoints (/api/v1/run, /api/v1/run/advanced) can be invoked with just an API key, if an attacker can control the API Request URL in a flow, non-blind SSRF is possible—accessing internal resources from the server’s network context. This enables requests to, and collection of responses from, internal administrative endpoints, metadata services, and internal databases/services, leading to information disclosure and providing a foothold for further attacks.

**Vulnerable Code**

1. When a flow runs, the API Request URL is set via user input or tweaks, or it falls back to the value stored in the node UI.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-68477
reference_id
reference_type
scores
0
value 0.00027
scoring_system epss
scoring_elements 0.08205
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-68477
1
reference_url https://github.com/langflow-ai/langflow
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-68477
reference_id CVE-2025-68477
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-68477
3
reference_url https://github.com/advisories/GHSA-5993-7p27-66g5
reference_id GHSA-5993-7p27-66g5
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-5993-7p27-66g5
4
reference_url https://github.com/langflow-ai/langflow/security/advisories/GHSA-5993-7p27-66g5
reference_id GHSA-5993-7p27-66g5
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-19T17:23:37Z/
url https://github.com/langflow-ai/langflow/security/advisories/GHSA-5993-7p27-66g5
fixed_packages
0
url pkg:pypi/langflow@1.7.1
purl pkg:pypi/langflow@1.7.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-22hm-534x-fyed
1
vulnerability VCID-3kr1-vtdc-43hb
2
vulnerability VCID-53es-gfv9-qugp
3
vulnerability VCID-9ant-8hr4-a7ak
4
vulnerability VCID-cf4w-2j9d-kqee
5
vulnerability VCID-dsgg-w6zh-5fek
6
vulnerability VCID-e43u-exka-akh6
7
vulnerability VCID-f48g-ys3e-kfbe
8
vulnerability VCID-rnzn-x922-vkav
9
vulnerability VCID-z1h6-t53p-77aj
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.7.1
aliases CVE-2025-68477, GHSA-5993-7p27-66g5
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-txxh-vg3y-qqe4
16
url VCID-uewy-ce1y-z3hg
vulnerability_id VCID-uewy-ce1y-z3hg
summary
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-48061
reference_id
reference_type
scores
0
value 0.132
scoring_system epss
scoring_elements 0.94253
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-48061
1
reference_url https://gist.github.com/AfterSnows/1e58257867002462923fd62dde2b5d61
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-11-06T19:16:58Z/
url https://gist.github.com/AfterSnows/1e58257867002462923fd62dde2b5d61
2
reference_url https://github.com/langflow-ai/langflow
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow
3
reference_url https://github.com/langflow-ai/langflow/issues/696
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow/issues/696
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-48061
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-48061
5
reference_url https://rumbling-slice-eb0.notion.site/There-is-a-Remote-Code-Execution-RCE-vulnerability-in-the-repository-https-github-com-langflow-a-105e3cda9e8c800fac92f1b571bd40d8
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-11-06T19:16:58Z/
url https://rumbling-slice-eb0.notion.site/There-is-a-Remote-Code-Execution-RCE-vulnerability-in-the-repository-https-github-com-langflow-a-105e3cda9e8c800fac92f1b571bd40d8
6
reference_url https://github.com/advisories/GHSA-5p5r-57fx-pmfr
reference_id GHSA-5p5r-57fx-pmfr
reference_type
scores
url https://github.com/advisories/GHSA-5p5r-57fx-pmfr
fixed_packages
0
url pkg:pypi/langflow@1.0.19
purl pkg:pypi/langflow@1.0.19
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-22hm-534x-fyed
1
vulnerability VCID-3kr1-vtdc-43hb
2
vulnerability VCID-53es-gfv9-qugp
3
vulnerability VCID-5q3j-kw8n-3ufk
4
vulnerability VCID-9ant-8hr4-a7ak
5
vulnerability VCID-9vte-9ecr-quhw
6
vulnerability VCID-cf4w-2j9d-kqee
7
vulnerability VCID-dsgg-w6zh-5fek
8
vulnerability VCID-e43u-exka-akh6
9
vulnerability VCID-f48g-ys3e-kfbe
10
vulnerability VCID-h5t6-zh8q-nkhh
11
vulnerability VCID-hu3f-1d7m-qfaq
12
vulnerability VCID-p558-xn8f-mff1
13
vulnerability VCID-quy8-3rhy-wufd
14
vulnerability VCID-txxh-vg3y-qqe4
15
vulnerability VCID-uqbp-kmed-fyc8
16
vulnerability VCID-x52s-wp7s-r7cg
17
vulnerability VCID-z1h6-t53p-77aj
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.0.19
aliases CVE-2024-48061, GHSA-5p5r-57fx-pmfr
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-uewy-ce1y-z3hg
17
url VCID-uqbp-kmed-fyc8
vulnerability_id VCID-uqbp-kmed-fyc8
summary Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration (allow_origins='*' with allow_credentials=True) combined with a refresh token cookie configured as SameSite=None allows a malicious webpage to perform cross-origin requests that include credentials and successfully call the refresh endpoint. An attacker-controlled origin can therefore obtain fresh access_token / refresh_token pairs for a victim session. Obtained tokens permit access to authenticated endpoints — including built-in code-execution functionality — allowing the attacker to execute arbitrary code and achieve full system compromise.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-34291
reference_id
reference_type
scores
0
value 0.32059
scoring_system epss
scoring_elements 0.96906
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-34291
1
reference_url https://github.com/langflow-ai/langflow
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2026-05-21T19:39:27Z/
url https://github.com/langflow-ai/langflow
2
reference_url https://github.com/langflow-ai/langflow/pull/10139
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow/pull/10139
3
reference_url https://github.com/langflow-ai/langflow/pull/10696
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow/pull/10696
4
reference_url https://github.com/langflow-ai/langflow/pull/9240
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow/pull/9240
5
reference_url https://github.com/langflow-ai/langflow/pull/9441
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow/pull/9441
6
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/langflow/PYSEC-2025-78.yaml
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/langflow/PYSEC-2025-78.yaml
7
reference_url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-34291
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-34291
8
reference_url https://www.obsidiansecurity.com/blog/cve-2025-34291-critical-account-takeover-and-rce-vulnerability-in-the-langflow-ai-agent-workflow-platform
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2026-05-21T19:39:27Z/
url https://www.obsidiansecurity.com/blog/cve-2025-34291-critical-account-takeover-and-rce-vulnerability-in-the-langflow-ai-agent-workflow-platform
9
reference_url https://www.vulncheck.com/advisories/langflow-cors-misconfiguration-to-token-hijack-and-rce
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2026-05-21T19:39:27Z/
url https://www.vulncheck.com/advisories/langflow-cors-misconfiguration-to-token-hijack-and-rce
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-34291
reference_id CVE-2025-34291
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-34291
11
reference_url https://www.crowdsec.net/vulntracking-report/cve-2025-34291
reference_id CVE-2025-34291
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.crowdsec.net/vulntracking-report/cve-2025-34291
12
reference_url https://github.com/advisories/GHSA-577h-p2hh-v4mv
reference_id GHSA-577h-p2hh-v4mv
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-577h-p2hh-v4mv
fixed_packages
0
url pkg:pypi/langflow@1.7.0
purl pkg:pypi/langflow@1.7.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-22hm-534x-fyed
1
vulnerability VCID-3kr1-vtdc-43hb
2
vulnerability VCID-53es-gfv9-qugp
3
vulnerability VCID-9ant-8hr4-a7ak
4
vulnerability VCID-9vte-9ecr-quhw
5
vulnerability VCID-cf4w-2j9d-kqee
6
vulnerability VCID-dsgg-w6zh-5fek
7
vulnerability VCID-e43u-exka-akh6
8
vulnerability VCID-f48g-ys3e-kfbe
9
vulnerability VCID-hu3f-1d7m-qfaq
10
vulnerability VCID-quy8-3rhy-wufd
11
vulnerability VCID-rnzn-x922-vkav
12
vulnerability VCID-txxh-vg3y-qqe4
13
vulnerability VCID-z1h6-t53p-77aj
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.7.0
aliases CVE-2025-34291, GHSA-577h-p2hh-v4mv, PYSEC-2025-78
risk_score 10.0
exploitability 2.0
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-uqbp-kmed-fyc8
18
url VCID-x52s-wp7s-r7cg
vulnerability_id VCID-x52s-wp7s-r7cg
summary 
Duplicate Advisory: Langflow Vulnerable to Code Injection via the `/api/v1/validate/code` endpoint
### Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-rvqx-wpfh-mfx7. This link is maintained to preserve external references.

### Original Description

Langflow versions prior to 1.3.0 are susceptible to code injection in the `/api/v1/validate/code` endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.
references
0
reference_url https://github.com/langflow-ai/langflow
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow
1
reference_url https://github.com/langflow-ai/langflow/pull/6911
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow/pull/6911
2
reference_url https://github.com/langflow-ai/langflow/releases/tag/1.3.0
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow/releases/tag/1.3.0
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-3248
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-3248
4
reference_url https://www.horizon3.ai/attack-research/disclosures/unsafe-at-any-speed-abusing-python-exec-for-unauth-rce-in-langflow-ai
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.horizon3.ai/attack-research/disclosures/unsafe-at-any-speed-abusing-python-exec-for-unauth-rce-in-langflow-ai
5
reference_url https://github.com/advisories/GHSA-c995-4fw3-j39m
reference_id GHSA-c995-4fw3-j39m
reference_type
scores
url https://github.com/advisories/GHSA-c995-4fw3-j39m
fixed_packages
0
url pkg:pypi/langflow@1.3.0
purl pkg:pypi/langflow@1.3.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-22hm-534x-fyed
1
vulnerability VCID-3kr1-vtdc-43hb
2
vulnerability VCID-53es-gfv9-qugp
3
vulnerability VCID-5q3j-kw8n-3ufk
4
vulnerability VCID-9ant-8hr4-a7ak
5
vulnerability VCID-9vte-9ecr-quhw
6
vulnerability VCID-cf4w-2j9d-kqee
7
vulnerability VCID-dsgg-w6zh-5fek
8
vulnerability VCID-e43u-exka-akh6
9
vulnerability VCID-f48g-ys3e-kfbe
10
vulnerability VCID-hu3f-1d7m-qfaq
11
vulnerability VCID-p558-xn8f-mff1
12
vulnerability VCID-quy8-3rhy-wufd
13
vulnerability VCID-rnzn-x922-vkav
14
vulnerability VCID-txxh-vg3y-qqe4
15
vulnerability VCID-uqbp-kmed-fyc8
16
vulnerability VCID-z1h6-t53p-77aj
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.3.0
aliases GHSA-c995-4fw3-j39m
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-x52s-wp7s-r7cg
19
url VCID-z1h6-t53p-77aj
vulnerability_id VCID-z1h6-t53p-77aj
summary Langflow is a tool for building and deploying AI-powered agents and workflows. In versions 1.0.0 through 1.8.1, the `/api/v1/files/images/{flow_id}/{file_name}` endpoint serves image files without any authentication or ownership check. Any unauthenticated request with a known flow_id and file_name returns the image with HTTP 200. In a multi-tenant deployment, any attacker who can discover or guess a `flow_id` (UUIDs can be leaked through other API responses) can download any user's uploaded images without credentials. Version 1.9.0 contains a patch.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33484
reference_id
reference_type
scores
0
value 0.00038
scoring_system epss
scoring_elements 0.11705
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33484
1
reference_url https://github.com/langflow-ai/langflow
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow
2
reference_url https://github.com/langflow-ai/langflow/security/advisories/GHSA-7grx-3xcx-2xv5
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T13:37:08Z/
url https://github.com/langflow-ai/langflow/security/advisories/GHSA-7grx-3xcx-2xv5
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33484
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33484
4
reference_url https://github.com/advisories/GHSA-7grx-3xcx-2xv5
reference_id GHSA-7grx-3xcx-2xv5
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7grx-3xcx-2xv5
fixed_packages
0
url pkg:pypi/langflow@1.9.0
purl pkg:pypi/langflow@1.9.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3kr1-vtdc-43hb
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.9.0
aliases CVE-2026-33484, GHSA-7grx-3xcx-2xv5, PYSEC-2026-80
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-z1h6-t53p-77aj
20
url VCID-zgyu-re1q-wbcv
vulnerability_id VCID-zgyu-re1q-wbcv
summary langflow v1.0.12 was discovered to contain a remote code execution (RCE) vulnerability via the PythonCodeTool component.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-42835
reference_id
reference_type
scores
0
value 0.07249
scoring_system epss
scoring_elements 0.91749
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-42835
1
reference_url https://github.com/langflow-ai/langflow
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow
2
reference_url https://github.com/langflow-ai/langflow/issues/2908
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-10-31T18:26:22Z/
url https://github.com/langflow-ai/langflow/issues/2908
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-42835
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-42835
4
reference_url https://github.com/advisories/GHSA-56m6-4mhw-h3g5
reference_id GHSA-56m6-4mhw-h3g5
reference_type
scores
url https://github.com/advisories/GHSA-56m6-4mhw-h3g5
fixed_packages
0
url pkg:pypi/langflow@1.0.13
purl pkg:pypi/langflow@1.0.13
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1s44-7dfe-c7bq
1
vulnerability VCID-22hm-534x-fyed
2
vulnerability VCID-3kr1-vtdc-43hb
3
vulnerability VCID-53es-gfv9-qugp
4
vulnerability VCID-5q3j-kw8n-3ufk
5
vulnerability VCID-9ant-8hr4-a7ak
6
vulnerability VCID-9vte-9ecr-quhw
7
vulnerability VCID-cf4w-2j9d-kqee
8
vulnerability VCID-dsgg-w6zh-5fek
9
vulnerability VCID-e43u-exka-akh6
10
vulnerability VCID-f48g-ys3e-kfbe
11
vulnerability VCID-h5t6-zh8q-nkhh
12
vulnerability VCID-hu3f-1d7m-qfaq
13
vulnerability VCID-p558-xn8f-mff1
14
vulnerability VCID-quy8-3rhy-wufd
15
vulnerability VCID-txxh-vg3y-qqe4
16
vulnerability VCID-uewy-ce1y-z3hg
17
vulnerability VCID-uqbp-kmed-fyc8
18
vulnerability VCID-x52s-wp7s-r7cg
19
vulnerability VCID-z1h6-t53p-77aj
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.0.13
aliases CVE-2024-42835, GHSA-56m6-4mhw-h3g5, PYSEC-2024-279
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zgyu-re1q-wbcv
Fixing_vulnerabilities
Risk_score10.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.0.9