Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:pypi/langroid@0.52.0

Type pypi

Namespace

Name langroid

Version 0.52.0

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 0.59.32

Latest_non_vulnerable_version 0.63.0

Affected_by_vulnerabilities

url VCID-4nk5-2k31-ykcj

vulnerability_id VCID-4nk5-2k31-ykcj

summary Langroid is a Python framework to build large language model (LLM)-powered applications. Prior to version 0.53.15, `LanceDocChatAgent` uses pandas eval() through `compute_from_docs()`. As a result, an attacker may be able to make the agent run malicious commands through `QueryPlan.dataframe_calc]`) compromising the host system. Langroid 0.53.15 sanitizes input to the affected function by default to tackle the most common attack vectors, and added several warnings about the risky behavior in the project documentation.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-46725

reference_id

reference_type

scores

value	0.0041
scoring_system	epss
scoring_elements	0.61869
published_at	2026-06-12T12:55:00Z

value	0.0041
scoring_system	epss
scoring_elements	0.61768
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-46725

reference_url

https://github.com/langroid/langroid

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/langroid/langroid

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-46725

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-46725

reference_url

https://github.com/langroid/langroid/commit/0d9e4a7bb3ae2eef8d38f2e970ff916599a2b2a6

reference_id

0d9e4a7bb3ae2eef8d38f2e970ff916599a2b2a6

reference_type

scores

value	8.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-05-20T17:52:58Z/

url

https://github.com/langroid/langroid/commit/0d9e4a7bb3ae2eef8d38f2e970ff916599a2b2a6

reference_url	https://github.com/advisories/GHSA-22c2-9gwg-mj59
reference_id	GHSA-22c2-9gwg-mj59
reference_type
scores
url	https://github.com/advisories/GHSA-22c2-9gwg-mj59

reference_url

https://github.com/langroid/langroid/security/advisories/GHSA-22c2-9gwg-mj59

reference_id

GHSA-22c2-9gwg-mj59

reference_type

scores

value	8.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-05-20T17:52:58Z/

url

https://github.com/langroid/langroid/security/advisories/GHSA-22c2-9gwg-mj59

fixed_packages

url pkg:pypi/langroid@0.53.15

purl pkg:pypi/langroid@0.53.15

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-mqhm-ak45-9udn

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langroid@0.53.15

aliases CVE-2025-46725, GHSA-22c2-9gwg-mj59

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4nk5-2k31-ykcj

url VCID-9b7t-pn12-67f1

vulnerability_id VCID-9b7t-pn12-67f1

summary Langroid is a Python framework to build large language model (LLM)-powered applications. Prior to version 0.53.15, `TableChatAgent` uses `pandas eval()`. If fed by untrusted user input, like the case of a public-facing LLM application, it may be vulnerable to code injection. Langroid 0.53.15 sanitizes input to `TableChatAgent` by default to tackle the most common attack vectors, and added several warnings about the risky behavior in the project documentation.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-46724

reference_id

reference_type

scores

value	0.00206
scoring_system	epss
scoring_elements	0.43012
published_at	2026-06-11T12:55:00Z

value	0.00206
scoring_system	epss
scoring_elements	0.43171
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-46724

reference_url

https://github.com/langroid/langroid

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/langroid/langroid

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-46724

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-46724

reference_url

https://github.com/langroid/langroid/commit/0d9e4a7bb3ae2eef8d38f2e970ff916599a2b2a6

reference_id

0d9e4a7bb3ae2eef8d38f2e970ff916599a2b2a6

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-05-20T17:53:31Z/

url

https://github.com/langroid/langroid/commit/0d9e4a7bb3ae2eef8d38f2e970ff916599a2b2a6

reference_url	https://github.com/advisories/GHSA-jqq5-wc57-f8hj
reference_id	GHSA-jqq5-wc57-f8hj
reference_type
scores
url	https://github.com/advisories/GHSA-jqq5-wc57-f8hj

reference_url

https://github.com/langroid/langroid/security/advisories/GHSA-jqq5-wc57-f8hj

reference_id

GHSA-jqq5-wc57-f8hj

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-05-20T17:53:31Z/

url

https://github.com/langroid/langroid/security/advisories/GHSA-jqq5-wc57-f8hj

fixed_packages

url pkg:pypi/langroid@0.53.15

purl pkg:pypi/langroid@0.53.15

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-mqhm-ak45-9udn

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langroid@0.53.15

aliases CVE-2025-46724, GHSA-jqq5-wc57-f8hj

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9b7t-pn12-67f1

url VCID-mqhm-ak45-9udn

vulnerability_id VCID-mqhm-ak45-9udn

summary Langroid is a framework for building large-language-model-powered applications. Prior to version 0.59.32, there is a bypass to the fix for CVE-2025-46724. TableChatAgent can call pandas_eval tool to evaluate the expression. There is a WAF in langroid/utils/pandas_utils.py introduced to block code injection CVE-2025-46724. However it can be bypassed due to _literal_ok() returning False instead of raising UnsafeCommandError on invalid input, combined with unrestricted access to dangerous dunder attributes (__init__, __globals__, __builtins__). This allows chaining whitelisted DataFrame methods to leak the eval builtin and execute arbitrary code. This issue has been patched in version 0.59.32.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-25481

reference_id

reference_type

scores

value	0.00031
scoring_system	epss
scoring_elements	0.09426
published_at	2026-06-12T12:55:00Z

value	0.00031
scoring_system	epss
scoring_elements	0.09372
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-25481

reference_url

https://github.com/langroid/langroid

reference_id

reference_type

scores

value	9.4
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/langroid/langroid

reference_url

https://github.com/langroid/langroid/commit/30abbc1a854dee22fbd2f8b2f575dfdabdb603ea

reference_id

30abbc1a854dee22fbd2f8b2f575dfdabdb603ea

reference_type

scores

value	9.4
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-02-04T20:39:55Z/

url

https://github.com/langroid/langroid/commit/30abbc1a854dee22fbd2f8b2f575dfdabdb603ea

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-25481

reference_id

CVE-2026-25481

reference_type

scores

value	9.4
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-25481

reference_url

https://github.com/langroid/langroid/security/advisories/GHSA-jqq5-wc57-f8hj

reference_id

GHSA-jqq5-wc57-f8hj

reference_type

scores

value	9.4
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-02-04T20:39:55Z/

url

https://github.com/langroid/langroid/security/advisories/GHSA-jqq5-wc57-f8hj

reference_url

https://github.com/advisories/GHSA-x34r-63hx-w57f

reference_id

GHSA-x34r-63hx-w57f

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-x34r-63hx-w57f

reference_url

https://github.com/langroid/langroid/security/advisories/GHSA-x34r-63hx-w57f

reference_id

GHSA-x34r-63hx-w57f

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

value	9.4
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-02-04T20:39:55Z/

url

https://github.com/langroid/langroid/security/advisories/GHSA-x34r-63hx-w57f

fixed_packages

url	pkg:pypi/langroid@0.59.32
purl	pkg:pypi/langroid@0.59.32
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/langroid@0.59.32

aliases CVE-2026-25481, GHSA-x34r-63hx-w57f

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-mqhm-ak45-9udn

url VCID-mw86-ref9-1uhn

vulnerability_id VCID-mw86-ref9-1uhn

summary

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-46726

reference_id

reference_type

scores

value	0.00446
scoring_system	epss
scoring_elements	0.63905
published_at	2026-06-11T12:55:00Z

value	0.00446
scoring_system	epss
scoring_elements	0.64008
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-46726

reference_url

https://github.com/langroid/langroid

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/langroid/langroid

reference_url

https://github.com/langroid/langroid/blob/df6227e6c079ec22bb2768498423148d6685acff/langroid/agent/xml_tool_message.py#L51-L52

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/langroid/langroid/blob/df6227e6c079ec22bb2768498423148d6685acff/langroid/agent/xml_tool_message.py#L51-L52

reference_url

https://github.com/langroid/langroid/commit/36e7e7db4dd1636de225c2c66c84052b1e9ac3c3

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/langroid/langroid/commit/36e7e7db4dd1636de225c2c66c84052b1e9ac3c3

reference_url

https://github.com/langroid/langroid/security/advisories/GHSA-pw95-88fg-3j6f

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/langroid/langroid/security/advisories/GHSA-pw95-88fg-3j6f

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-46726

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-46726

reference_url	https://github.com/advisories/GHSA-pw95-88fg-3j6f
reference_id	GHSA-pw95-88fg-3j6f
reference_type
scores
url	https://github.com/advisories/GHSA-pw95-88fg-3j6f

fixed_packages

url pkg:pypi/langroid@0.53.4

purl pkg:pypi/langroid@0.53.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4nk5-2k31-ykcj

vulnerability	VCID-9b7t-pn12-67f1

vulnerability	VCID-mqhm-ak45-9udn

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langroid@0.53.4

aliases CVE-2025-46726, GHSA-pw95-88fg-3j6f

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-mw86-ref9-1uhn

Fixing_vulnerabilities

Risk_score 4.5

Resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langroid@0.52.0

Package Instance