{"url":"http://public2.vulnerablecode.io/api/packages/40580?format=json","purl":"pkg:pypi/langflow@0.6.3a5","type":"pypi","namespace":"","name":"langflow","version":"0.6.3a5","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.9.1","latest_non_vulnerable_version":"1.9.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9149?format=json","vulnerability_id":"VCID-16te-bm24-e3hu","summary":"Langflow through 0.6.19 allows remote code execution if untrusted users are able to reach the \"POST /api/v1/custom_component\" endpoint and provide a Python script.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-37014","reference_id":"","reference_type":"","scores":[{"value":"0.0596","scoring_system":"epss","scoring_elements":"0.90796","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-37014"},{"reference_url":"https://github.com/langflow-ai/langflow","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langflow-ai/langflow"},{"reference_url":"https://github.com/langflow-ai/langflow/issues/1973","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-06-12T14:47:28Z/"}],"url":"https://github.com/langflow-ai/langflow/issues/1973"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/langflow/PYSEC-2024-177.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/langflow/PYSEC-2024-177.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-37014","reference_id":"CVE-2024-37014","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-37014"},{"reference_url":"https://github.com/advisories/GHSA-qg33-x2c5-6p44","reference_id":"GHSA-qg33-x2c5-6p44","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qg33-x2c5-6p44"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40622?format=json","purl":"pkg:pypi/langflow@1.0.0a3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-16te-bm24-e3hu"},{"vulnerability":"VCID-1s44-7dfe-c7bq"},{"vulnerability":"VCID-22hm-534x-fyed"},{"vulnerability":"VCID-3kr1-vtdc-43hb"},{"vulnerability":"VCID-53es-gfv9-qugp"},{"vulnerability":"VCID-5q3j-kw8n-3ufk"},{"vulnerability":"VCID-9ant-8hr4-a7ak"},{"vulnerability":"VCID-9vte-9ecr-quhw"},{"vulnerability":"VCID-cf4w-2j9d-kqee"},{"vulnerability":"VCID-dsgg-w6zh-5fek"},{"vulnerability":"VCID-e43u-exka-akh6"},{"vulnerability":"VCID-f48g-ys3e-kfbe"},{"vulnerability":"VCID-h5t6-zh8q-nkhh"},{"vulnerability":"VCID-hu3f-1d7m-qfaq"},{"vulnerability":"VCID-p558-xn8f-mff1"},{"vulnerability":"VCID-quy8-3rhy-wufd"},{"vulnerability":"VCID-txxh-vg3y-qqe4"},{"vulnerability":"VCID-uewy-ce1y-z3hg"},{"vulnerability":"VCID-uqbp-kmed-fyc8"},{"vulnerability":"VCID-x52s-wp7s-r7cg"},{"vulnerability":"VCID-zgyu-re1q-wbcv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.0.0a3"},{"url":"http://public2.vulnerablecode.io/api/packages/43711?format=json","purl":"pkg:pypi/langflow@1.0.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1s44-7dfe-c7bq"},{"vulnerability":"VCID-22hm-534x-fyed"},{"vulnerability":"VCID-3kr1-vtdc-43hb"},{"vulnerability":"VCID-53es-gfv9-qugp"},{"vulnerability":"VCID-5q3j-kw8n-3ufk"},{"vulnerability":"VCID-9ant-8hr4-a7ak"},{"vulnerability":"VCID-9vte-9ecr-quhw"},{"vulnerability":"VCID-cf4w-2j9d-kqee"},{"vulnerability":"VCID-dsgg-w6zh-5fek"},{"vulnerability":"VCID-e43u-exka-akh6"},{"vulnerability":"VCID-f48g-ys3e-kfbe"},{"vulnerability":"VCID-h5t6-zh8q-nkhh"},{"vulnerability":"VCID-hu3f-1d7m-qfaq"},{"vulnerability":"VCID-p558-xn8f-mff1"},{"vulnerability":"VCID-quy8-3rhy-wufd"},{"vulnerability":"VCID-txxh-vg3y-qqe4"},{"vulnerability":"VCID-uewy-ce1y-z3hg"},{"vulnerability":"VCID-uqbp-kmed-fyc8"},{"vulnerability":"VCID-x52s-wp7s-r7cg"},{"vulnerability":"VCID-z1h6-t53p-77aj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.0.15"}],"aliases":["CVE-2024-37014","GHSA-qg33-x2c5-6p44","PYSEC-2024-177"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-16te-bm24-e3hu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/277055?format=json","vulnerability_id":"VCID-1s44-7dfe-c7bq","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-9277","reference_id":"","reference_type":"","scores":[{"value":"0.0017","scoring_system":"epss","scoring_elements":"0.37955","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-9277"},{"reference_url":"https://github.com/langflow-ai/langflow","reference_id":"","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langflow-ai/langflow"},{"reference_url":"https://github.com/langflow-ai/langflow/blob/main/src/backend/base/langflow/interface/utils.py#L65","reference_id":"","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langflow-ai/langflow/blob/main/src/backend/base/langflow/interface/utils.py#L65"},{"reference_url":"https://rumbling-slice-eb0.notion.site/Remote-Redos-in-https-github-com-langflow-ai-langflow-067159ced0d5494e91b06071384969c4?pvs=4","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv2","scoring_elements":"AV:A/AC:M/Au:S/C:N/I:N/A:P"},{"value":"3.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-27T15:01:06Z/"}],"url":"https://rumbling-slice-eb0.notion.site/Remote-Redos-in-https-github-com-langflow-ai-langflow-067159ced0d5494e91b06071384969c4?pvs=4"},{"reference_url":"https://vuldb.com/?ctiid.278659","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv2","scoring_elements":"AV:A/AC:M/Au:S/C:N/I:N/A:P"},{"value":"3.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-27T15:01:06Z/"}],"url":"https://vuldb.com/?ctiid.278659"},{"reference_url":"https://vuldb.com/?id.278659","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv2","scoring_elements":"AV:A/AC:M/Au:S/C:N/I:N/A:P"},{"value":"3.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-27T15:01:06Z/"}],"url":"https://vuldb.com/?id.278659"},{"reference_url":"https://vuldb.com/?submit.410043","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv2","scoring_elements":"AV:A/AC:M/Au:S/C:N/I:N/A:P"},{"value":"3.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-27T15:01:06Z/"}],"url":"https://vuldb.com/?submit.410043"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-9277","reference_id":"CVE-2024-9277","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-9277"},{"reference_url":"https://github.com/advisories/GHSA-355v-2rjx-fpx7","reference_id":"GHSA-355v-2rjx-fpx7","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-355v-2rjx-fpx7"}],"fixed_packages":[],"aliases":["CVE-2024-9277","GHSA-355v-2rjx-fpx7"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1s44-7dfe-c7bq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9592?format=json","vulnerability_id":"VCID-22hm-534x-fyed","summary":"Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.9.0, the Agentic Assistant feature in Langflow executes LLM-generated Python code during its validation phase. Although this phase appears intended to validate generated component code, the implementation reaches dynamic execution sinks and instantiates the generated class server-side. In deployments where an attacker can access the Agentic Assistant feature and influence the model output, this can result in arbitrary server-side Python execution. Version 1.9.0 fixes the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33873","reference_id":"","reference_type":"","scores":[{"value":"0.00056","scoring_system":"epss","scoring_elements":"0.17815","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33873"},{"reference_url":"https://github.com/langflow-ai/langflow","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langflow-ai/langflow"},{"reference_url":"https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/api/router.py#L252-L297","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/"}],"url":"https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/api/router.py#L252-L297"},{"reference_url":"https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/api/schemas.py#L20-L31","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/"}],"url":"https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/api/schemas.py#L20-L31"},{"reference_url":"https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/helpers/code_extraction.py#L11-L53","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/"}],"url":"https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/helpers/code_extraction.py#L11-L53"},{"reference_url":"https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/helpers/validation.py#L27-L47","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/"}],"url":"https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/helpers/validation.py#L27-L47"},{"reference_url":"https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/services/assistant_service.py#L142-L156","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/"}],"url":"https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/services/assistant_service.py#L142-L156"},{"reference_url":"https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/services/assistant_service.py#L259-L300","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/"}],"url":"https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/services/assistant_service.py#L259-L300"},{"reference_url":"https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/services/assistant_service.py#L58-L79","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/"}],"url":"https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/services/assistant_service.py#L58-L79"},{"reference_url":"https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/api/utils/core.py#L38","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/"}],"url":"https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/api/utils/core.py#L38"},{"reference_url":"https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/api/v1/login.py#L96-L135","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/"}],"url":"https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/api/v1/login.py#L96-L135"},{"reference_url":"https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/services/auth/utils.py#L156-L163","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/"}],"url":"https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/services/auth/utils.py#L156-L163"},{"reference_url":"https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/services/auth/utils.py#L39-L53","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/"}],"url":"https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/services/auth/utils.py#L39-L53"},{"reference_url":"https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/lfx/src/lfx/custom/validate.py#L241-L272","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/"}],"url":"https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/lfx/src/lfx/custom/validate.py#L241-L272"},{"reference_url":"https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/lfx/src/lfx/custom/validate.py#L394-L399","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/"}],"url":"https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/lfx/src/lfx/custom/validate.py#L394-L399"},{"reference_url":"https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/lfx/src/lfx/custom/validate.py#L441-L443","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/"}],"url":"https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/lfx/src/lfx/custom/validate.py#L441-L443"},{"reference_url":"https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/lfx/src/lfx/services/settings/auth.py#L71-L87","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/"}],"url":"https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/lfx/src/lfx/services/settings/auth.py#L71-L87"},{"reference_url":"https://github.com/langflow-ai/langflow/security/advisories/GHSA-v8hw-mh8c-jxfc","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/"}],"url":"https://github.com/langflow-ai/langflow/security/advisories/GHSA-v8hw-mh8c-jxfc"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33873","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33873"},{"reference_url":"https://github.com/advisories/GHSA-v8hw-mh8c-jxfc","reference_id":"GHSA-v8hw-mh8c-jxfc","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v8hw-mh8c-jxfc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/47738?format=json","purl":"pkg:pypi/langflow@1.9.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3kr1-vtdc-43hb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.9.0"}],"aliases":["CVE-2026-33873","GHSA-v8hw-mh8c-jxfc","PYSEC-2026-82"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-22hm-534x-fyed"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/337631?format=json","vulnerability_id":"VCID-3kr1-vtdc-43hb","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-6598","reference_id":"","reference_type":"","scores":[{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.0303","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-6598"},{"reference_url":"https://gist.github.com/chenhouser2025/77adb3486c06c635ae4b09a3eaf90213","reference_id":"","reference_type":"","scores":[{"value":"4","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR"},{"value":"4.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R"},{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R"},{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T16:19:05Z/"}],"url":"https://gist.github.com/chenhouser2025/77adb3486c06c635ae4b09a3eaf90213"},{"reference_url":"https://github.com/langflow-ai/langflow","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langflow-ai/langflow"},{"reference_url":"https://github.com/langflow-ai/langflow/commit/45325f6376309a91f5017fa033a96c09c7e295e3","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langflow-ai/langflow/commit/45325f6376309a91f5017fa033a96c09c7e295e3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-6598","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-6598"},{"reference_url":"https://vuldb.com/submit/791921","reference_id":"","reference_type":"","scores":[{"value":"4","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR"},{"value":"4.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R"},{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R"},{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T16:19:05Z/"}],"url":"https://vuldb.com/submit/791921"},{"reference_url":"https://vuldb.com/vuln/358233","reference_id":"","reference_type":"","scores":[{"value":"4","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR"},{"value":"4.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R"},{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R"},{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T16:19:05Z/"}],"url":"https://vuldb.com/vuln/358233"},{"reference_url":"https://vuldb.com/vuln/358233/cti","reference_id":"","reference_type":"","scores":[{"value":"4","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR"},{"value":"4.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R"},{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R"},{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T16:19:05Z/"}],"url":"https://vuldb.com/vuln/358233/cti"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*"},{"reference_url":"https://github.com/advisories/GHSA-9jpj-cph8-w449","reference_id":"GHSA-9jpj-cph8-w449","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9jpj-cph8-w449"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/188359?format=json","purl":"pkg:pypi/langflow@1.9.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.9.1"}],"aliases":["CVE-2026-6598","GHSA-9jpj-cph8-w449"],"risk_score":2.4,"exploitability":"0.5","weighted_severity":"4.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3kr1-vtdc-43hb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/22240?format=json","vulnerability_id":"VCID-53es-gfv9-qugp","summary":"Langflow affected by Remote Code Execution via validate_code() exec()\nLangflow exec_globals Inclusion of Functionality from Untrusted Control Sphere Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of the exec_globals parameter provided to the validate endpoint. The issue results from the inclusion of a resource from an untrusted control sphere. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27325.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-0770","reference_id":"","reference_type":"","scores":[{"value":"0.14653","scoring_system":"epss","scoring_elements":"0.9459","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-0770"},{"reference_url":"https://github.com/langflow-ai/langflow","reference_id":"","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langflow-ai/langflow"},{"reference_url":"https://www.zerodayinitiative.com/advisories/ZDI-26-036","reference_id":"","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.zerodayinitiative.com/advisories/ZDI-26-036"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52597.py","reference_id":"CVE-2026-0770","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52597.py"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-0770","reference_id":"CVE-2026-0770","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-0770"},{"reference_url":"https://github.com/affix/CVE-2026-0770-PoC","reference_id":"CVE-2026-0770-POC","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/affix/CVE-2026-0770-PoC"},{"reference_url":"https://github.com/advisories/GHSA-g22f-v6f7-2hrh","reference_id":"GHSA-g22f-v6f7-2hrh","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g22f-v6f7-2hrh"},{"reference_url":"https://www.zerodayinitiative.com/advisories/ZDI-26-036/","reference_id":"ZDI-26-036","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-02-24T04:56:28Z/"}],"url":"https://www.zerodayinitiative.com/advisories/ZDI-26-036/"}],"fixed_packages":[],"aliases":["CVE-2026-0770","GHSA-g22f-v6f7-2hrh"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-53es-gfv9-qugp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/307794?format=json","vulnerability_id":"VCID-5q3j-kw8n-3ufk","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-57760","reference_id":"","reference_type":"","scores":[{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.04525","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-57760"},{"reference_url":"https://github.com/langflow-ai/langflow","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langflow-ai/langflow"},{"reference_url":"https://github.com/langflow-ai/langflow/commit/c188ec113c9ca46154ad01d0eded1754cc6bef97","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-08-25T20:34:06Z/"}],"url":"https://github.com/langflow-ai/langflow/commit/c188ec113c9ca46154ad01d0eded1754cc6bef97"},{"reference_url":"https://github.com/langflow-ai/langflow/pull/9152","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langflow-ai/langflow/pull/9152"},{"reference_url":"https://github.com/langflow-ai/langflow/security/advisories/GHSA-4gv9-mp8m-592r","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-08-25T20:34:06Z/"}],"url":"https://github.com/langflow-ai/langflow/security/advisories/GHSA-4gv9-mp8m-592r"},{"reference_url":"http://github.com/langflow-ai/langflow/pull/9152","reference_id":"9152","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-08-25T20:34:06Z/"}],"url":"http://github.com/langflow-ai/langflow/pull/9152"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-57760","reference_id":"CVE-2025-57760","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-57760"},{"reference_url":"https://github.com/advisories/GHSA-4gv9-mp8m-592r","reference_id":"GHSA-4gv9-mp8m-592r","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-4gv9-mp8m-592r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/45508?format=json","purl":"pkg:pypi/langflow@1.5.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-22hm-534x-fyed"},{"vulnerability":"VCID-3kr1-vtdc-43hb"},{"vulnerability":"VCID-53es-gfv9-qugp"},{"vulnerability":"VCID-9ant-8hr4-a7ak"},{"vulnerability":"VCID-9vte-9ecr-quhw"},{"vulnerability":"VCID-cf4w-2j9d-kqee"},{"vulnerability":"VCID-dsgg-w6zh-5fek"},{"vulnerability":"VCID-e43u-exka-akh6"},{"vulnerability":"VCID-f48g-ys3e-kfbe"},{"vulnerability":"VCID-hu3f-1d7m-qfaq"},{"vulnerability":"VCID-quy8-3rhy-wufd"},{"vulnerability":"VCID-rnzn-x922-vkav"},{"vulnerability":"VCID-txxh-vg3y-qqe4"},{"vulnerability":"VCID-uqbp-kmed-fyc8"},{"vulnerability":"VCID-z1h6-t53p-77aj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.5.1"}],"aliases":["CVE-2025-57760","GHSA-4gv9-mp8m-592r"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5q3j-kw8n-3ufk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/22839?format=json","vulnerability_id":"VCID-9ant-8hr4-a7ak","summary":"Langflow has Remote Code Execution in CSV Agent\nThe CSV Agent node in Langflow hardcodes `allow_dangerous_code=True`, which automatically exposes LangChain’s Python REPL tool (`python_repl_ast`). As a result, an attacker can execute arbitrary Python and OS commands on the server via prompt injection, leading to full Remote Code Execution (RCE).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27966","reference_id":"","reference_type":"","scores":[{"value":"0.37776","scoring_system":"epss","scoring_elements":"0.9728","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27966"},{"reference_url":"https://github.com/langflow-ai/langflow","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langflow-ai/langflow"},{"reference_url":"https://github.com/langflow-ai/langflow/commit/d8c6480daa17b2f2af0b5470cdf5c3d28dc9e508","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-02-27T14:15:24Z/"}],"url":"https://github.com/langflow-ai/langflow/commit/d8c6480daa17b2f2af0b5470cdf5c3d28dc9e508"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27966","reference_id":"CVE-2026-27966","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27966"},{"reference_url":"https://github.com/advisories/GHSA-3645-fxcv-hqr4","reference_id":"GHSA-3645-fxcv-hqr4","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3645-fxcv-hqr4"},{"reference_url":"https://github.com/langflow-ai/langflow/security/advisories/GHSA-3645-fxcv-hqr4","reference_id":"GHSA-3645-fxcv-hqr4","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-02-27T14:15:24Z/"}],"url":"https://github.com/langflow-ai/langflow/security/advisories/GHSA-3645-fxcv-hqr4"}],"fixed_packages":[],"aliases":["CVE-2026-27966","GHSA-3645-fxcv-hqr4"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9ant-8hr4-a7ak"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9587?format=json","vulnerability_id":"VCID-9vte-9ecr-quhw","summary":"Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.1, in the download_profile_picture function of the /profile_pictures/{folder_name}/{file_name} endpoint, the folder_name and file_name parameters are not strictly filtered, which allows the secret_key to be read across directories. Version 1.7.1 contains a patch.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33497","reference_id":"","reference_type":"","scores":[{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.1267","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33497"},{"reference_url":"https://github.com/langflow-ai/langflow","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langflow-ai/langflow"},{"reference_url":"https://github.com/langflow-ai/langflow/security/advisories/GHSA-ph9w-r52h-28p7","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:45:18Z/"}],"url":"https://github.com/langflow-ai/langflow/security/advisories/GHSA-ph9w-r52h-28p7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33497","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33497"},{"reference_url":"https://github.com/advisories/GHSA-ph9w-r52h-28p7","reference_id":"GHSA-ph9w-r52h-28p7","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-ph9w-r52h-28p7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/47722?format=json","purl":"pkg:pypi/langflow@1.7.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-22hm-534x-fyed"},{"vulnerability":"VCID-3kr1-vtdc-43hb"},{"vulnerability":"VCID-53es-gfv9-qugp"},{"vulnerability":"VCID-9ant-8hr4-a7ak"},{"vulnerability":"VCID-cf4w-2j9d-kqee"},{"vulnerability":"VCID-dsgg-w6zh-5fek"},{"vulnerability":"VCID-e43u-exka-akh6"},{"vulnerability":"VCID-f48g-ys3e-kfbe"},{"vulnerability":"VCID-rnzn-x922-vkav"},{"vulnerability":"VCID-z1h6-t53p-77aj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.7.1"}],"aliases":["CVE-2026-33497","GHSA-ph9w-r52h-28p7","PYSEC-2026-81"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9vte-9ecr-quhw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/328475?format=json","vulnerability_id":"VCID-cf4w-2j9d-kqee","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33017","reference_id":"","reference_type":"","scores":[{"value":"0.23981","scoring_system":"epss","scoring_elements":"0.96127","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33017"},{"reference_url":"https://github.com/advisories/GHSA-rvqx-wpfh-mfx7","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:A"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-26T03:55:25Z/"}],"url":"https://github.com/advisories/GHSA-rvqx-wpfh-mfx7"},{"reference_url":"https://github.com/langflow-ai/langflow","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:A"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langflow-ai/langflow"},{"reference_url":"https://github.com/langflow-ai/langflow/commit/73b6612e3ef25fdae0a752d75b0fabd47328d4f0","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:A"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-26T03:55:25Z/"}],"url":"https://github.com/langflow-ai/langflow/commit/73b6612e3ef25fdae0a752d75b0fabd47328d4f0"},{"reference_url":"https://github.com/langflow-ai/langflow/issues/12345","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:A"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langflow-ai/langflow/issues/12345"},{"reference_url":"https://github.com/langflow-ai/langflow/pull/12160","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:A"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langflow-ai/langflow/pull/12160"},{"reference_url":"https://github.com/langflow-ai/langflow/releases/tag/1.8.2","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:A"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langflow-ai/langflow/releases/tag/1.8.2"},{"reference_url":"https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:A"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-26T03:55:25Z/"}],"url":"https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx"},{"reference_url":"https://medium.com/@aviral23/cve-2026-33017-how-i-found-an-unauthenticated-rce-in-langflow-by-reading-the-code-they-already-dc96cdce5896","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:A"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://medium.com/@aviral23/cve-2026-33017-how-i-found-an-unauthenticated-rce-in-langflow-by-reading-the-code-they-already-dc96cdce5896"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33017","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:A"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33017"},{"reference_url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-33017","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:A"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-33017"},{"reference_url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33017","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:A"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33017"},{"reference_url":"https://www.sysdig.com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hours","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:A"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.sysdig.com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hours"},{"reference_url":"https://github.com/advisories/GHSA-vwmf-pq79-vjvx","reference_id":"GHSA-vwmf-pq79-vjvx","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vwmf-pq79-vjvx"}],"fixed_packages":[],"aliases":["CVE-2026-33017","GHSA-vwmf-pq79-vjvx"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cf4w-2j9d-kqee"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9581?format=json","vulnerability_id":"VCID-dsgg-w6zh-5fek","summary":"Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the delete_api_key_route() endpoint accepts an api_key_id path parameter and deletes it with only a generic authentication check (get_current_active_user dependency). However, the delete_api_key() CRUD function does NOT verify that the API key belongs to the current user before deletion.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33053","reference_id":"","reference_type":"","scores":[{"value":"0.00057","scoring_system":"epss","scoring_elements":"0.18118","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33053"},{"reference_url":"https://github.com/langflow-ai/langflow","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langflow-ai/langflow"},{"reference_url":"https://github.com/langflow-ai/langflow/commit/fdc1b3b1448ff3317d73d3e769a6c4a1717f74d7","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langflow-ai/langflow/commit/fdc1b3b1448ff3317d73d3e769a6c4a1717f74d7"},{"reference_url":"https://github.com/langflow-ai/langflow/releases/tag/1.7.2","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langflow-ai/langflow/releases/tag/1.7.2"},{"reference_url":"https://github.com/langflow-ai/langflow/security/advisories/GHSA-rf6x-r45m-xv3w","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:L"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T16:22:42Z/"}],"url":"https://github.com/langflow-ai/langflow/security/advisories/GHSA-rf6x-r45m-xv3w"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33053","reference_id":"CVE-2026-33053","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33053"},{"reference_url":"https://github.com/advisories/GHSA-rf6x-r45m-xv3w","reference_id":"GHSA-rf6x-r45m-xv3w","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rf6x-r45m-xv3w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/47723?format=json","purl":"pkg:pypi/langflow@1.7.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-22hm-534x-fyed"},{"vulnerability":"VCID-3kr1-vtdc-43hb"},{"vulnerability":"VCID-53es-gfv9-qugp"},{"vulnerability":"VCID-9ant-8hr4-a7ak"},{"vulnerability":"VCID-cf4w-2j9d-kqee"},{"vulnerability":"VCID-dsgg-w6zh-5fek"},{"vulnerability":"VCID-e43u-exka-akh6"},{"vulnerability":"VCID-f48g-ys3e-kfbe"},{"vulnerability":"VCID-rnzn-x922-vkav"},{"vulnerability":"VCID-z1h6-t53p-77aj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.7.2"},{"url":"http://public2.vulnerablecode.io/api/packages/47738?format=json","purl":"pkg:pypi/langflow@1.9.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3kr1-vtdc-43hb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.9.0"}],"aliases":["CVE-2026-33053","GHSA-rf6x-r45m-xv3w","PYSEC-2026-78"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dsgg-w6zh-5fek"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/337630?format=json","vulnerability_id":"VCID-e43u-exka-akh6","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-6597","reference_id":"","reference_type":"","scores":[{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01574","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-6597"},{"reference_url":"https://gist.github.com/chenhouser2025/b93261c6e651f14800a4f2e4365f357b","reference_id":"","reference_type":"","scores":[{"value":"3.3","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:M/C:P/I:N/A:N/E:POC/RL:ND/RC:UR"},{"value":"2.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R"},{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R"},{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T11:42:17Z/"}],"url":"https://gist.github.com/chenhouser2025/b93261c6e651f14800a4f2e4365f357b"},{"reference_url":"https://github.com/langflow-ai/langflow","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langflow-ai/langflow"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-6597","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-6597"},{"reference_url":"https://vuldb.com/submit/791920","reference_id":"","reference_type":"","scores":[{"value":"3.3","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:M/C:P/I:N/A:N/E:POC/RL:ND/RC:UR"},{"value":"2.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R"},{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R"},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T11:42:17Z/"}],"url":"https://vuldb.com/submit/791920"},{"reference_url":"https://vuldb.com/vuln/358232","reference_id":"","reference_type":"","scores":[{"value":"3.3","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:M/C:P/I:N/A:N/E:POC/RL:ND/RC:UR"},{"value":"2.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R"},{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R"},{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T11:42:17Z/"}],"url":"https://vuldb.com/vuln/358232"},{"reference_url":"https://vuldb.com/vuln/358232/cti","reference_id":"","reference_type":"","scores":[{"value":"3.3","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:M/C:P/I:N/A:N/E:POC/RL:ND/RC:UR"},{"value":"2.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R"},{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R"},{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T11:42:17Z/"}],"url":"https://vuldb.com/vuln/358232/cti"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*"},{"reference_url":"https://github.com/advisories/GHSA-5jjf-wcvf-923w","reference_id":"GHSA-5jjf-wcvf-923w","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5jjf-wcvf-923w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/47737?format=json","purl":"pkg:pypi/langflow@1.8.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-22hm-534x-fyed"},{"vulnerability":"VCID-3kr1-vtdc-43hb"},{"vulnerability":"VCID-dsgg-w6zh-5fek"},{"vulnerability":"VCID-meqh-b1cj-wqgd"},{"vulnerability":"VCID-rnzn-x922-vkav"},{"vulnerability":"VCID-z1h6-t53p-77aj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.8.4"}],"aliases":["CVE-2026-6597","GHSA-5jjf-wcvf-923w"],"risk_score":2.3,"exploitability":"0.5","weighted_severity":"4.6","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-e43u-exka-akh6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/337632?format=json","vulnerability_id":"VCID-f48g-ys3e-kfbe","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-6599","reference_id":"","reference_type":"","scores":[{"value":"0.00053","scoring_system":"epss","scoring_elements":"0.16784","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-6599"},{"reference_url":"https://gist.github.com/chenhouser2025/a909c47316b7a0948ee68c109ab747a3","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:W/RC:UR"},{"value":"6.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:W/RC:R"},{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:W/RC:R"},{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T14:24:29Z/"}],"url":"https://gist.github.com/chenhouser2025/a909c47316b7a0948ee68c109ab747a3"},{"reference_url":"https://github.com/langflow-ai/langflow","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langflow-ai/langflow"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-6599","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-6599"},{"reference_url":"https://vuldb.com/submit/791922","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:W/RC:UR"},{"value":"6.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:W/RC:R"},{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:W/RC:R"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T14:24:29Z/"}],"url":"https://vuldb.com/submit/791922"},{"reference_url":"https://vuldb.com/vuln/358234","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:W/RC:UR"},{"value":"6.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:W/RC:R"},{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:W/RC:R"},{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T14:24:29Z/"}],"url":"https://vuldb.com/vuln/358234"},{"reference_url":"https://vuldb.com/vuln/358234/cti","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:W/RC:UR"},{"value":"6.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:W/RC:R"},{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:W/RC:R"},{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T14:24:29Z/"}],"url":"https://vuldb.com/vuln/358234/cti"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*"},{"reference_url":"https://github.com/advisories/GHSA-v66p-f7x3-4794","reference_id":"GHSA-v66p-f7x3-4794","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v66p-f7x3-4794"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/47737?format=json","purl":"pkg:pypi/langflow@1.8.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-22hm-534x-fyed"},{"vulnerability":"VCID-3kr1-vtdc-43hb"},{"vulnerability":"VCID-dsgg-w6zh-5fek"},{"vulnerability":"VCID-meqh-b1cj-wqgd"},{"vulnerability":"VCID-rnzn-x922-vkav"},{"vulnerability":"VCID-z1h6-t53p-77aj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.8.4"}],"aliases":["CVE-2026-6599","GHSA-v66p-f7x3-4794"],"risk_score":3.0,"exploitability":"0.5","weighted_severity":"5.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-f48g-ys3e-kfbe"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9377?format=json","vulnerability_id":"VCID-h5t6-zh8q-nkhh","summary":"Langflow versions prior to 1.3.0 are susceptible to code injection in \nthe /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary\ncode.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-3248","reference_id":"","reference_type":"","scores":[{"value":"0.92556","scoring_system":"epss","scoring_elements":"0.99752","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-3248"},{"reference_url":"https://github.com/langflow-ai/langflow","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langflow-ai/langflow"},{"reference_url":"https://github.com/langflow-ai/langflow/commit/faac4db133de32fcb6d483fa9ff52f40ce42bdc0","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langflow-ai/langflow/commit/faac4db133de32fcb6d483fa9ff52f40ce42bdc0"},{"reference_url":"https://github.com/langflow-ai/langflow/pull/6911","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-08-15T19:50:13Z/"}],"url":"https://github.com/langflow-ai/langflow/pull/6911"},{"reference_url":"https://github.com/langflow-ai/langflow/releases/tag/1.3.0","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-08-15T19:50:13Z/"}],"url":"https://github.com/langflow-ai/langflow/releases/tag/1.3.0"},{"reference_url":"https://github.com/langflow-ai/langflow/security/advisories/GHSA-rvqx-wpfh-mfx7","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langflow-ai/langflow/security/advisories/GHSA-rvqx-wpfh-mfx7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-3248","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-3248"},{"reference_url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-3248","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-3248"},{"reference_url":"https://www.horizon3.ai/attack-research/disclosures/unsafe-at-any-speed-abusing-python-exec-for-unauth-rce-in-langflow-ai","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.horizon3.ai/attack-research/disclosures/unsafe-at-any-speed-abusing-python-exec-for-unauth-rce-in-langflow-ai"},{"reference_url":"https://www.horizon3.ai/attack-research/disclosures/unsafe-at-any-speed-abusing-python-exec-for-unauth-rce-in-langflow-ai/","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-08-15T19:50:13Z/"}],"url":"https://www.horizon3.ai/attack-research/disclosures/unsafe-at-any-speed-abusing-python-exec-for-unauth-rce-in-langflow-ai/"},{"reference_url":"https://www.vulncheck.com/advisories/langflow-unauthenticated-rce","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-08-15T19:50:13Z/"}],"url":"https://www.vulncheck.com/advisories/langflow-unauthenticated-rce"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/remote/52262.txt","reference_id":"CVE-2025-3248","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/remote/52262.txt"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52364.py","reference_id":"CVE-2025-3248","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52364.py"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/43725?format=json","purl":"pkg:pypi/langflow@1.3.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-22hm-534x-fyed"},{"vulnerability":"VCID-3kr1-vtdc-43hb"},{"vulnerability":"VCID-53es-gfv9-qugp"},{"vulnerability":"VCID-5q3j-kw8n-3ufk"},{"vulnerability":"VCID-9ant-8hr4-a7ak"},{"vulnerability":"VCID-9vte-9ecr-quhw"},{"vulnerability":"VCID-cf4w-2j9d-kqee"},{"vulnerability":"VCID-dsgg-w6zh-5fek"},{"vulnerability":"VCID-e43u-exka-akh6"},{"vulnerability":"VCID-f48g-ys3e-kfbe"},{"vulnerability":"VCID-hu3f-1d7m-qfaq"},{"vulnerability":"VCID-p558-xn8f-mff1"},{"vulnerability":"VCID-quy8-3rhy-wufd"},{"vulnerability":"VCID-rnzn-x922-vkav"},{"vulnerability":"VCID-txxh-vg3y-qqe4"},{"vulnerability":"VCID-uqbp-kmed-fyc8"},{"vulnerability":"VCID-z1h6-t53p-77aj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.3.0"}],"aliases":["CVE-2025-3248","GHSA-rvqx-wpfh-mfx7","PYSEC-2025-36"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-h5t6-zh8q-nkhh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/21957?format=json","vulnerability_id":"VCID-hu3f-1d7m-qfaq","summary":"Langflow Missing Authentication on Critical API Endpoints\nMultiple critical API endpoints in Langflow are missing authentication controls, allowing any unauthenticated user to access sensitive user conversation data, transaction histories, and perform destructive operations including message deletion. This affects endpoints handling personal data and system operations that should require proper authorization.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-21445","reference_id":"","reference_type":"","scores":[{"value":"0.11673","scoring_system":"epss","scoring_elements":"0.93793","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-21445"},{"reference_url":"https://github.com/langflow-ai/langflow","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langflow-ai/langflow"},{"reference_url":"https://github.com/langflow-ai/langflow/commit/3fed9fe1b5658f2c8656dbd73508e113a96e486a","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-01-06T04:55:18Z/"}],"url":"https://github.com/langflow-ai/langflow/commit/3fed9fe1b5658f2c8656dbd73508e113a96e486a"},{"reference_url":"https://github.com/langflow-ai/langflow/releases/tag/1.7.1","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langflow-ai/langflow/releases/tag/1.7.1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21445","reference_id":"CVE-2026-21445","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21445"},{"reference_url":"https://github.com/advisories/GHSA-c5cp-vx83-jhqx","reference_id":"GHSA-c5cp-vx83-jhqx","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-c5cp-vx83-jhqx"},{"reference_url":"https://github.com/langflow-ai/langflow/security/advisories/GHSA-c5cp-vx83-jhqx","reference_id":"GHSA-c5cp-vx83-jhqx","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-01-06T04:55:18Z/"}],"url":"https://github.com/langflow-ai/langflow/security/advisories/GHSA-c5cp-vx83-jhqx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/47722?format=json","purl":"pkg:pypi/langflow@1.7.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-22hm-534x-fyed"},{"vulnerability":"VCID-3kr1-vtdc-43hb"},{"vulnerability":"VCID-53es-gfv9-qugp"},{"vulnerability":"VCID-9ant-8hr4-a7ak"},{"vulnerability":"VCID-cf4w-2j9d-kqee"},{"vulnerability":"VCID-dsgg-w6zh-5fek"},{"vulnerability":"VCID-e43u-exka-akh6"},{"vulnerability":"VCID-f48g-ys3e-kfbe"},{"vulnerability":"VCID-rnzn-x922-vkav"},{"vulnerability":"VCID-z1h6-t53p-77aj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.7.1"}],"aliases":["CVE-2026-21445","GHSA-c5cp-vx83-jhqx"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hu3f-1d7m-qfaq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/329275?format=json","vulnerability_id":"VCID-p558-xn8f-mff1","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34046","reference_id":"","reference_type":"","scores":[{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10597","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34046"},{"reference_url":"https://github.com/langflow-ai/langflow","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langflow-ai/langflow"},{"reference_url":"https://github.com/langflow-ai/langflow/pull/8956","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T13:57:05Z/"}],"url":"https://github.com/langflow-ai/langflow/pull/8956"},{"reference_url":"https://github.com/langflow-ai/langflow/security/advisories/GHSA-8c4j-f57c-35cf","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T13:57:05Z/"}],"url":"https://github.com/langflow-ai/langflow/security/advisories/GHSA-8c4j-f57c-35cf"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34046","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34046"},{"reference_url":"https://github.com/advisories/GHSA-8c4j-f57c-35cf","reference_id":"GHSA-8c4j-f57c-35cf","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8c4j-f57c-35cf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/45508?format=json","purl":"pkg:pypi/langflow@1.5.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-22hm-534x-fyed"},{"vulnerability":"VCID-3kr1-vtdc-43hb"},{"vulnerability":"VCID-53es-gfv9-qugp"},{"vulnerability":"VCID-9ant-8hr4-a7ak"},{"vulnerability":"VCID-9vte-9ecr-quhw"},{"vulnerability":"VCID-cf4w-2j9d-kqee"},{"vulnerability":"VCID-dsgg-w6zh-5fek"},{"vulnerability":"VCID-e43u-exka-akh6"},{"vulnerability":"VCID-f48g-ys3e-kfbe"},{"vulnerability":"VCID-hu3f-1d7m-qfaq"},{"vulnerability":"VCID-quy8-3rhy-wufd"},{"vulnerability":"VCID-rnzn-x922-vkav"},{"vulnerability":"VCID-txxh-vg3y-qqe4"},{"vulnerability":"VCID-uqbp-kmed-fyc8"},{"vulnerability":"VCID-z1h6-t53p-77aj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.5.1"}],"aliases":["CVE-2026-34046","GHSA-8c4j-f57c-35cf"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-p558-xn8f-mff1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9503?format=json","vulnerability_id":"VCID-quy8-3rhy-wufd","summary":"Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0, if an arbitrary path is specified in the request body's `fs_path`, the server serializes the Flow object into JSON and creates/overwrites a file at that path. There is no path restriction, normalization, or allowed directory enforcement, so absolute paths (e.g., /etc/poc.txt) are interpreted as is. Version 1.7.0 fixes the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68478","reference_id":"","reference_type":"","scores":[{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10592","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68478"},{"reference_url":"https://github.com/langflow-ai/langflow","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langflow-ai/langflow"},{"reference_url":"https://github.com/langflow-ai/langflow/security/advisories/GHSA-f43r-cc68-gpx4","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-19T17:23:19Z/"}],"url":"https://github.com/langflow-ai/langflow/security/advisories/GHSA-f43r-cc68-gpx4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68478","reference_id":"CVE-2025-68478","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68478"},{"reference_url":"https://github.com/advisories/GHSA-f43r-cc68-gpx4","reference_id":"GHSA-f43r-cc68-gpx4","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f43r-cc68-gpx4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/45519?format=json","purl":"pkg:pypi/langflow@1.7.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-22hm-534x-fyed"},{"vulnerability":"VCID-3kr1-vtdc-43hb"},{"vulnerability":"VCID-53es-gfv9-qugp"},{"vulnerability":"VCID-9ant-8hr4-a7ak"},{"vulnerability":"VCID-9vte-9ecr-quhw"},{"vulnerability":"VCID-cf4w-2j9d-kqee"},{"vulnerability":"VCID-dsgg-w6zh-5fek"},{"vulnerability":"VCID-e43u-exka-akh6"},{"vulnerability":"VCID-f48g-ys3e-kfbe"},{"vulnerability":"VCID-hu3f-1d7m-qfaq"},{"vulnerability":"VCID-quy8-3rhy-wufd"},{"vulnerability":"VCID-rnzn-x922-vkav"},{"vulnerability":"VCID-txxh-vg3y-qqe4"},{"vulnerability":"VCID-z1h6-t53p-77aj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.7.0"},{"url":"http://public2.vulnerablecode.io/api/packages/47722?format=json","purl":"pkg:pypi/langflow@1.7.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-22hm-534x-fyed"},{"vulnerability":"VCID-3kr1-vtdc-43hb"},{"vulnerability":"VCID-53es-gfv9-qugp"},{"vulnerability":"VCID-9ant-8hr4-a7ak"},{"vulnerability":"VCID-cf4w-2j9d-kqee"},{"vulnerability":"VCID-dsgg-w6zh-5fek"},{"vulnerability":"VCID-e43u-exka-akh6"},{"vulnerability":"VCID-f48g-ys3e-kfbe"},{"vulnerability":"VCID-rnzn-x922-vkav"},{"vulnerability":"VCID-z1h6-t53p-77aj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.7.1"}],"aliases":["CVE-2025-68478","GHSA-f43r-cc68-gpx4","PYSEC-2025-125"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-quy8-3rhy-wufd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/21897?format=json","vulnerability_id":"VCID-txxh-vg3y-qqe4","summary":"Langflow vulnerable to Server-Side Request Forgery\n**Vulnerability Overview**\n\n\nLangflow provides an API Request component that can issue arbitrary HTTP requests within a flow. This component takes a user-supplied URL, performs only normalization and basic format checks, and then sends the request using a server-side httpx client. It does not block private IP ranges (127.0.0.1, the 10/172/192 ranges) or cloud metadata endpoints (169.254.169.254), and it returns the response body as the result.\n\nBecause the flow execution endpoints (/api/v1/run, /api/v1/run/advanced) can be invoked with just an API key, if an attacker can control the API Request URL in a flow, non-blind SSRF is possible—accessing internal resources from the server’s network context. This enables requests to, and collection of responses from, internal administrative endpoints, metadata services, and internal databases/services, leading to information disclosure and providing a foothold for further attacks.\n\n**Vulnerable Code**\n\n1. When a flow runs, the API Request URL is set via user input or tweaks, or it falls back to the value stored in the node UI.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68477","reference_id":"","reference_type":"","scores":[{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.08205","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68477"},{"reference_url":"https://github.com/langflow-ai/langflow","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langflow-ai/langflow"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68477","reference_id":"CVE-2025-68477","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68477"},{"reference_url":"https://github.com/advisories/GHSA-5993-7p27-66g5","reference_id":"GHSA-5993-7p27-66g5","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5993-7p27-66g5"},{"reference_url":"https://github.com/langflow-ai/langflow/security/advisories/GHSA-5993-7p27-66g5","reference_id":"GHSA-5993-7p27-66g5","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-19T17:23:37Z/"}],"url":"https://github.com/langflow-ai/langflow/security/advisories/GHSA-5993-7p27-66g5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/47722?format=json","purl":"pkg:pypi/langflow@1.7.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-22hm-534x-fyed"},{"vulnerability":"VCID-3kr1-vtdc-43hb"},{"vulnerability":"VCID-53es-gfv9-qugp"},{"vulnerability":"VCID-9ant-8hr4-a7ak"},{"vulnerability":"VCID-cf4w-2j9d-kqee"},{"vulnerability":"VCID-dsgg-w6zh-5fek"},{"vulnerability":"VCID-e43u-exka-akh6"},{"vulnerability":"VCID-f48g-ys3e-kfbe"},{"vulnerability":"VCID-rnzn-x922-vkav"},{"vulnerability":"VCID-z1h6-t53p-77aj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.7.1"}],"aliases":["CVE-2025-68477","GHSA-5993-7p27-66g5"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-txxh-vg3y-qqe4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/266105?format=json","vulnerability_id":"VCID-uewy-ce1y-z3hg","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-48061","reference_id":"","reference_type":"","scores":[{"value":"0.132","scoring_system":"epss","scoring_elements":"0.94253","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-48061"},{"reference_url":"https://gist.github.com/AfterSnows/1e58257867002462923fd62dde2b5d61","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-11-06T19:16:58Z/"}],"url":"https://gist.github.com/AfterSnows/1e58257867002462923fd62dde2b5d61"},{"reference_url":"https://github.com/langflow-ai/langflow","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langflow-ai/langflow"},{"reference_url":"https://github.com/langflow-ai/langflow/issues/696","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langflow-ai/langflow/issues/696"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-48061","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-48061"},{"reference_url":"https://rumbling-slice-eb0.notion.site/There-is-a-Remote-Code-Execution-RCE-vulnerability-in-the-repository-https-github-com-langflow-a-105e3cda9e8c800fac92f1b571bd40d8","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-11-06T19:16:58Z/"}],"url":"https://rumbling-slice-eb0.notion.site/There-is-a-Remote-Code-Execution-RCE-vulnerability-in-the-repository-https-github-com-langflow-a-105e3cda9e8c800fac92f1b571bd40d8"},{"reference_url":"https://github.com/advisories/GHSA-5p5r-57fx-pmfr","reference_id":"GHSA-5p5r-57fx-pmfr","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-5p5r-57fx-pmfr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/43715?format=json","purl":"pkg:pypi/langflow@1.0.19","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-22hm-534x-fyed"},{"vulnerability":"VCID-3kr1-vtdc-43hb"},{"vulnerability":"VCID-53es-gfv9-qugp"},{"vulnerability":"VCID-5q3j-kw8n-3ufk"},{"vulnerability":"VCID-9ant-8hr4-a7ak"},{"vulnerability":"VCID-9vte-9ecr-quhw"},{"vulnerability":"VCID-cf4w-2j9d-kqee"},{"vulnerability":"VCID-dsgg-w6zh-5fek"},{"vulnerability":"VCID-e43u-exka-akh6"},{"vulnerability":"VCID-f48g-ys3e-kfbe"},{"vulnerability":"VCID-h5t6-zh8q-nkhh"},{"vulnerability":"VCID-hu3f-1d7m-qfaq"},{"vulnerability":"VCID-p558-xn8f-mff1"},{"vulnerability":"VCID-quy8-3rhy-wufd"},{"vulnerability":"VCID-txxh-vg3y-qqe4"},{"vulnerability":"VCID-uqbp-kmed-fyc8"},{"vulnerability":"VCID-x52s-wp7s-r7cg"},{"vulnerability":"VCID-z1h6-t53p-77aj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.0.19"}],"aliases":["CVE-2024-48061","GHSA-5p5r-57fx-pmfr"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-uewy-ce1y-z3hg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9489?format=json","vulnerability_id":"VCID-uqbp-kmed-fyc8","summary":"Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration (allow_origins='*' with allow_credentials=True) combined with a refresh token cookie configured as SameSite=None allows a malicious webpage to perform cross-origin requests that include credentials and successfully call the refresh endpoint. An attacker-controlled origin can therefore obtain fresh access_token / refresh_token pairs for a victim session. Obtained tokens permit access to authenticated endpoints — including built-in code-execution functionality — allowing the attacker to execute arbitrary code and achieve full system compromise.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-34291","reference_id":"","reference_type":"","scores":[{"value":"0.32059","scoring_system":"epss","scoring_elements":"0.96906","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-34291"},{"reference_url":"https://github.com/langflow-ai/langflow","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2026-05-21T19:39:27Z/"}],"url":"https://github.com/langflow-ai/langflow"},{"reference_url":"https://github.com/langflow-ai/langflow/pull/10139","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langflow-ai/langflow/pull/10139"},{"reference_url":"https://github.com/langflow-ai/langflow/pull/10696","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langflow-ai/langflow/pull/10696"},{"reference_url":"https://github.com/langflow-ai/langflow/pull/9240","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langflow-ai/langflow/pull/9240"},{"reference_url":"https://github.com/langflow-ai/langflow/pull/9441","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langflow-ai/langflow/pull/9441"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/langflow/PYSEC-2025-78.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/langflow/PYSEC-2025-78.yaml"},{"reference_url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-34291","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-34291"},{"reference_url":"https://www.obsidiansecurity.com/blog/cve-2025-34291-critical-account-takeover-and-rce-vulnerability-in-the-langflow-ai-agent-workflow-platform","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2026-05-21T19:39:27Z/"}],"url":"https://www.obsidiansecurity.com/blog/cve-2025-34291-critical-account-takeover-and-rce-vulnerability-in-the-langflow-ai-agent-workflow-platform"},{"reference_url":"https://www.vulncheck.com/advisories/langflow-cors-misconfiguration-to-token-hijack-and-rce","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2026-05-21T19:39:27Z/"}],"url":"https://www.vulncheck.com/advisories/langflow-cors-misconfiguration-to-token-hijack-and-rce"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-34291","reference_id":"CVE-2025-34291","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-34291"},{"reference_url":"https://www.crowdsec.net/vulntracking-report/cve-2025-34291","reference_id":"CVE-2025-34291","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.crowdsec.net/vulntracking-report/cve-2025-34291"},{"reference_url":"https://github.com/advisories/GHSA-577h-p2hh-v4mv","reference_id":"GHSA-577h-p2hh-v4mv","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-577h-p2hh-v4mv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/45519?format=json","purl":"pkg:pypi/langflow@1.7.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-22hm-534x-fyed"},{"vulnerability":"VCID-3kr1-vtdc-43hb"},{"vulnerability":"VCID-53es-gfv9-qugp"},{"vulnerability":"VCID-9ant-8hr4-a7ak"},{"vulnerability":"VCID-9vte-9ecr-quhw"},{"vulnerability":"VCID-cf4w-2j9d-kqee"},{"vulnerability":"VCID-dsgg-w6zh-5fek"},{"vulnerability":"VCID-e43u-exka-akh6"},{"vulnerability":"VCID-f48g-ys3e-kfbe"},{"vulnerability":"VCID-hu3f-1d7m-qfaq"},{"vulnerability":"VCID-quy8-3rhy-wufd"},{"vulnerability":"VCID-rnzn-x922-vkav"},{"vulnerability":"VCID-txxh-vg3y-qqe4"},{"vulnerability":"VCID-z1h6-t53p-77aj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.7.0"}],"aliases":["CVE-2025-34291","GHSA-577h-p2hh-v4mv","PYSEC-2025-78"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-uqbp-kmed-fyc8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/347293?format=json","vulnerability_id":"VCID-x52s-wp7s-r7cg","summary":"Duplicate Advisory: Langflow Vulnerable to Code Injection via the `/api/v1/validate/code` endpoint\n### Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-rvqx-wpfh-mfx7. This link is maintained to preserve external references.\n\n### Original Description\n\nLangflow versions prior to 1.3.0 are susceptible to code injection in the `/api/v1/validate/code` endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.","references":[{"reference_url":"https://github.com/langflow-ai/langflow","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langflow-ai/langflow"},{"reference_url":"https://github.com/langflow-ai/langflow/pull/6911","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langflow-ai/langflow/pull/6911"},{"reference_url":"https://github.com/langflow-ai/langflow/releases/tag/1.3.0","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langflow-ai/langflow/releases/tag/1.3.0"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-3248","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-3248"},{"reference_url":"https://www.horizon3.ai/attack-research/disclosures/unsafe-at-any-speed-abusing-python-exec-for-unauth-rce-in-langflow-ai","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.horizon3.ai/attack-research/disclosures/unsafe-at-any-speed-abusing-python-exec-for-unauth-rce-in-langflow-ai"},{"reference_url":"https://github.com/advisories/GHSA-c995-4fw3-j39m","reference_id":"GHSA-c995-4fw3-j39m","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-c995-4fw3-j39m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/43725?format=json","purl":"pkg:pypi/langflow@1.3.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-22hm-534x-fyed"},{"vulnerability":"VCID-3kr1-vtdc-43hb"},{"vulnerability":"VCID-53es-gfv9-qugp"},{"vulnerability":"VCID-5q3j-kw8n-3ufk"},{"vulnerability":"VCID-9ant-8hr4-a7ak"},{"vulnerability":"VCID-9vte-9ecr-quhw"},{"vulnerability":"VCID-cf4w-2j9d-kqee"},{"vulnerability":"VCID-dsgg-w6zh-5fek"},{"vulnerability":"VCID-e43u-exka-akh6"},{"vulnerability":"VCID-f48g-ys3e-kfbe"},{"vulnerability":"VCID-hu3f-1d7m-qfaq"},{"vulnerability":"VCID-p558-xn8f-mff1"},{"vulnerability":"VCID-quy8-3rhy-wufd"},{"vulnerability":"VCID-rnzn-x922-vkav"},{"vulnerability":"VCID-txxh-vg3y-qqe4"},{"vulnerability":"VCID-uqbp-kmed-fyc8"},{"vulnerability":"VCID-z1h6-t53p-77aj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.3.0"}],"aliases":["GHSA-c995-4fw3-j39m"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x52s-wp7s-r7cg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9255?format=json","vulnerability_id":"VCID-zgyu-re1q-wbcv","summary":"langflow v1.0.12 was discovered to contain a remote code execution (RCE) vulnerability via the PythonCodeTool component.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-42835","reference_id":"","reference_type":"","scores":[{"value":"0.07249","scoring_system":"epss","scoring_elements":"0.91749","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-42835"},{"reference_url":"https://github.com/langflow-ai/langflow","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langflow-ai/langflow"},{"reference_url":"https://github.com/langflow-ai/langflow/issues/2908","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-10-31T18:26:22Z/"}],"url":"https://github.com/langflow-ai/langflow/issues/2908"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42835","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42835"},{"reference_url":"https://github.com/advisories/GHSA-56m6-4mhw-h3g5","reference_id":"GHSA-56m6-4mhw-h3g5","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-56m6-4mhw-h3g5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/43709?format=json","purl":"pkg:pypi/langflow@1.0.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1s44-7dfe-c7bq"},{"vulnerability":"VCID-22hm-534x-fyed"},{"vulnerability":"VCID-3kr1-vtdc-43hb"},{"vulnerability":"VCID-53es-gfv9-qugp"},{"vulnerability":"VCID-5q3j-kw8n-3ufk"},{"vulnerability":"VCID-9ant-8hr4-a7ak"},{"vulnerability":"VCID-9vte-9ecr-quhw"},{"vulnerability":"VCID-cf4w-2j9d-kqee"},{"vulnerability":"VCID-dsgg-w6zh-5fek"},{"vulnerability":"VCID-e43u-exka-akh6"},{"vulnerability":"VCID-f48g-ys3e-kfbe"},{"vulnerability":"VCID-h5t6-zh8q-nkhh"},{"vulnerability":"VCID-hu3f-1d7m-qfaq"},{"vulnerability":"VCID-p558-xn8f-mff1"},{"vulnerability":"VCID-quy8-3rhy-wufd"},{"vulnerability":"VCID-txxh-vg3y-qqe4"},{"vulnerability":"VCID-uewy-ce1y-z3hg"},{"vulnerability":"VCID-uqbp-kmed-fyc8"},{"vulnerability":"VCID-x52s-wp7s-r7cg"},{"vulnerability":"VCID-z1h6-t53p-77aj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.0.13"}],"aliases":["CVE-2024-42835","GHSA-56m6-4mhw-h3g5","PYSEC-2024-279"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zgyu-re1q-wbcv"}],"fixing_vulnerabilities":[],"risk_score":"10.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@0.6.3a5"}