{"url":"http://public2.vulnerablecode.io/api/packages/75464?format=json","purl":"pkg:pypi/langchain@0.0.9","type":"pypi","namespace":"","name":"langchain","version":"0.0.9","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"0.3.30","latest_non_vulnerable_version":"0.3.30","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/139377?format=json","vulnerability_id":"VCID-1618-rc62-rke9","summary":"An issue in langchain langchain-ai v.0.0.232 and before allows a remote attacker to execute arbitrary code via a crafted script to the PythonAstREPLTool._run component.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-39659","reference_id":"","reference_type":"","scores":[{"value":"0.0161","scoring_system":"epss","scoring_elements":"0.82173","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-39659"},{"reference_url":"https://github.com/advisories/GHSA-prgp-w7vf-ch62","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-prgp-w7vf-ch62"},{"reference_url":"https://github.com/langchain-ai/langchain/commit/cadfce295f8a33828fc635c2e5ea28b883e5c992","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/commit/cadfce295f8a33828fc635c2e5ea28b883e5c992"},{"reference_url":"https://github.com/langchain-ai/langchain/pull/12427","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/pull/12427"},{"reference_url":"https://github.com/langchain-ai/langchain/releases/tag/v0.0.325","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/releases/tag/v0.0.325"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-147.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-147.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-39659","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-39659"},{"reference_url":"https://github.com/langchain-ai/langchain/pull/5640","reference_id":"5640","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-10-08T20:27:51Z/"}],"url":"https://github.com/langchain-ai/langchain/pull/5640"},{"reference_url":"https://github.com/langchain-ai/langchain/issues/7700","reference_id":"7700","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-10-08T20:27:51Z/"}],"url":"https://github.com/langchain-ai/langchain/issues/7700"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/76556?format=json","purl":"pkg:pypi/langchain@0.0.233","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1618-rc62-rke9"},{"vulnerability":"VCID-2rhm-rh9f-13b7"},{"vulnerability":"VCID-449d-vdfh-x7fd"},{"vulnerability":"VCID-8jk9-a8mt-mke3"},{"vulnerability":"VCID-9879-hp1u-47ds"},{"vulnerability":"VCID-9jxh-pfnm-w7gk"},{"vulnerability":"VCID-9yh8-14yh-abhr"},{"vulnerability":"VCID-cx6s-pyn2-cqcj"},{"vulnerability":"VCID-d5qc-zvmu-rkde"},{"vulnerability":"VCID-dg53-vte1-zyfy"},{"vulnerability":"VCID-enm9-kr4g-hbbz"},{"vulnerability":"VCID-h3je-vmhg-x7bv"},{"vulnerability":"VCID-hxnj-z9jr-kue7"},{"vulnerability":"VCID-jpa5-z25b-u3d3"},{"vulnerability":"VCID-n4zy-w2mg-f3hx"},{"vulnerability":"VCID-qvyx-jcxw-sbdh"},{"vulnerability":"VCID-s4wf-9m6c-8yay"},{"vulnerability":"VCID-tvj5-fy4j-yqar"},{"vulnerability":"VCID-uhwf-4hp8-63gv"},{"vulnerability":"VCID-vrea-ew6n-vyf9"},{"vulnerability":"VCID-zh5c-9jvd-jfhz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.233"},{"url":"http://public2.vulnerablecode.io/api/packages/83066?format=json","purl":"pkg:pypi/langchain@0.0.325","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2rhm-rh9f-13b7"},{"vulnerability":"VCID-449d-vdfh-x7fd"},{"vulnerability":"VCID-9879-hp1u-47ds"},{"vulnerability":"VCID-9jxh-pfnm-w7gk"},{"vulnerability":"VCID-cx6s-pyn2-cqcj"},{"vulnerability":"VCID-d5qc-zvmu-rkde"},{"vulnerability":"VCID-enm9-kr4g-hbbz"},{"vulnerability":"VCID-hxnj-z9jr-kue7"},{"vulnerability":"VCID-uhwf-4hp8-63gv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.325"}],"aliases":["CVE-2023-39659","GHSA-prgp-w7vf-ch62","PYSEC-2023-147"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1618-rc62-rke9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39718?format=json","vulnerability_id":"VCID-2rhm-rh9f-13b7","summary":"LangChain through 0.1.10 allows ../ directory traversal by an actor who is able to control the final part of the path parameter in a load_chain call. This bypasses the intended behavior of loading configurations only from the hwchase17/langchain-hub GitHub repository. The outcome can be disclosure of an API key for a large language model online service, or remote code execution. (A patch is available as of release 0.1.29 of langchain-core.)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-28088","reference_id":"","reference_type":"","scores":[{"value":"0.13435","scoring_system":"epss","scoring_elements":"0.94359","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-28088"},{"reference_url":"https://github.com/langchain-ai/langchain/commit/e1924b3e93d513ca950c72f8e80e1c133749fba5","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/commit/e1924b3e93d513ca950c72f8e80e1c133749fba5"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain-core/PYSEC-2024-45.yaml","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain-core/PYSEC-2024-45.yaml"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2024-43.yaml","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2024-43.yaml"},{"reference_url":"https://github.com/langchain-ai/langchain/pull/18600","reference_id":"18600","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-03-07T19:36:26Z/"}],"url":"https://github.com/langchain-ai/langchain/pull/18600"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-28088","reference_id":"CVE-2024-28088","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-28088"},{"reference_url":"https://github.com/advisories/GHSA-h59x-p739-982c","reference_id":"GHSA-h59x-p739-982c","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-h59x-p739-982c"},{"reference_url":"https://github.com/langchain-ai/langchain/blob/f96dd57501131840b713ed7c2e86cbf1ddc2761f/libs/core/langchain_core/utils/loading.py","reference_id":"loading.py","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-03-07T19:36:26Z/"}],"url":"https://github.com/langchain-ai/langchain/blob/f96dd57501131840b713ed7c2e86cbf1ddc2761f/libs/core/langchain_core/utils/loading.py"},{"reference_url":"https://github.com/PinkDraconian/PoC-Langchain-RCE/blob/main/README.md","reference_id":"README.md","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-03-07T19:36:26Z/"}],"url":"https://github.com/PinkDraconian/PoC-Langchain-RCE/blob/main/README.md"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/29504?format=json","purl":"pkg:pypi/langchain@0.0.339","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2rhm-rh9f-13b7"},{"vulnerability":"VCID-449d-vdfh-x7fd"},{"vulnerability":"VCID-9879-hp1u-47ds"},{"vulnerability":"VCID-9jxh-pfnm-w7gk"},{"vulnerability":"VCID-cx6s-pyn2-cqcj"},{"vulnerability":"VCID-d5qc-zvmu-rkde"},{"vulnerability":"VCID-enm9-kr4g-hbbz"},{"vulnerability":"VCID-hxnj-z9jr-kue7"},{"vulnerability":"VCID-uhwf-4hp8-63gv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.339"},{"url":"http://public2.vulnerablecode.io/api/packages/83113?format=json","purl":"pkg:pypi/langchain@0.1.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9jxh-pfnm-w7gk"},{"vulnerability":"VCID-d5qc-zvmu-rkde"},{"vulnerability":"VCID-enm9-kr4g-hbbz"},{"vulnerability":"VCID-hxnj-z9jr-kue7"},{"vulnerability":"VCID-uhwf-4hp8-63gv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.1.11"}],"aliases":["CVE-2024-28088","GHSA-h59x-p739-982c","PYSEC-2024-43","PYSEC-2024-45"],"risk_score":3.6,"exploitability":"0.5","weighted_severity":"7.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2rhm-rh9f-13b7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/64019?format=json","vulnerability_id":"VCID-449d-vdfh-x7fd","summary":"langchain-ai/langchain is vulnerable to path traversal due to improper limitation of a pathname to a restricted directory ('Path Traversal') in its LocalFileStore functionality. An attacker can leverage this vulnerability to read or write files anywhere on the filesystem, potentially leading to information disclosure or remote code execution. The issue lies in the handling of file paths in the mset and mget methods, where user-supplied input is not adequately sanitized, allowing directory traversal sequences to reach unintended directories.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-3571","reference_id":"","reference_type":"","scores":[{"value":"0.01915","scoring_system":"epss","scoring_elements":"0.83705","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-3571"},{"reference_url":"https://huntr.com/bounties/2df3acdc-ee4f-4257-bbf8-a7de3870a9d8","reference_id":"2df3acdc-ee4f-4257-bbf8-a7de3870a9d8","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-17T19:16:15Z/"}],"url":"https://huntr.com/bounties/2df3acdc-ee4f-4257-bbf8-a7de3870a9d8"},{"reference_url":"https://github.com/langchain-ai/langchain/commit/aad3d8bd47d7f5598156ff2bdcc8f736f24a7412","reference_id":"aad3d8bd47d7f5598156ff2bdcc8f736f24a7412","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-17T19:16:15Z/"}],"url":"https://github.com/langchain-ai/langchain/commit/aad3d8bd47d7f5598156ff2bdcc8f736f24a7412"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-3571","reference_id":"CVE-2024-3571","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-3571"},{"reference_url":"https://github.com/advisories/GHSA-rgp8-pm28-3759","reference_id":"GHSA-rgp8-pm28-3759","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rgp8-pm28-3759"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/30391?format=json","purl":"pkg:pypi/langchain@0.0.353","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2rhm-rh9f-13b7"},{"vulnerability":"VCID-9879-hp1u-47ds"},{"vulnerability":"VCID-9jxh-pfnm-w7gk"},{"vulnerability":"VCID-cx6s-pyn2-cqcj"},{"vulnerability":"VCID-d5qc-zvmu-rkde"},{"vulnerability":"VCID-enm9-kr4g-hbbz"},{"vulnerability":"VCID-hxnj-z9jr-kue7"},{"vulnerability":"VCID-uhwf-4hp8-63gv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.353"}],"aliases":["CVE-2024-3571","GHSA-rgp8-pm28-3759"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-449d-vdfh-x7fd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/136683?format=json","vulnerability_id":"VCID-8jk9-a8mt-mke3","summary":"An issue in LangChain before 0.0.236 allows an attacker to execute arbitrary code because Python code with os.system, exec, or eval can be used.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-36258","reference_id":"","reference_type":"","scores":[{"value":"0.00741","scoring_system":"epss","scoring_elements":"0.7342","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-36258"},{"reference_url":"https://github.com/advisories/GHSA-2qmj-7962-cjq8","reference_id":"","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2qmj-7962-cjq8"},{"reference_url":"https://github.com/langchain-ai/langchain/commit/8ba9835b925473655914f63822775679e03ea137","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/commit/8ba9835b925473655914f63822775679e03ea137"},{"reference_url":"https://github.com/langchain-ai/langchain/commit/e294ba475a355feb95003ed8f1a2b99942509a9e","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/commit/e294ba475a355feb95003ed8f1a2b99942509a9e"},{"reference_url":"https://github.com/langchain-ai/langchain/commit/fab24457bcf8ede882abd11419769c92bc4e7751","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/commit/fab24457bcf8ede882abd11419769c92bc4e7751"},{"reference_url":"https://github.com/langchain-ai/langchain/issues/5872#issuecomment-1697785619","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/issues/5872#issuecomment-1697785619"},{"reference_url":"https://github.com/langchain-ai/langchain/pull/6003","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/pull/6003"},{"reference_url":"https://github.com/langchain-ai/langchain/pull/7870","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/pull/7870"},{"reference_url":"https://github.com/langchain-ai/langchain/pull/8425","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/pull/8425"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-98.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-98.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-36258","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-36258"},{"reference_url":"https://github.com/hwchase17/langchain/issues/5872","reference_id":"5872","reference_type":"","scores":[{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-11-22T16:45:46Z/"}],"url":"https://github.com/hwchase17/langchain/issues/5872"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/76572?format=json","purl":"pkg:pypi/langchain@0.0.247","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1618-rc62-rke9"},{"vulnerability":"VCID-2rhm-rh9f-13b7"},{"vulnerability":"VCID-449d-vdfh-x7fd"},{"vulnerability":"VCID-9879-hp1u-47ds"},{"vulnerability":"VCID-9jxh-pfnm-w7gk"},{"vulnerability":"VCID-cx6s-pyn2-cqcj"},{"vulnerability":"VCID-d5qc-zvmu-rkde"},{"vulnerability":"VCID-enm9-kr4g-hbbz"},{"vulnerability":"VCID-hxnj-z9jr-kue7"},{"vulnerability":"VCID-qvyx-jcxw-sbdh"},{"vulnerability":"VCID-s4wf-9m6c-8yay"},{"vulnerability":"VCID-tvj5-fy4j-yqar"},{"vulnerability":"VCID-uhwf-4hp8-63gv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.247"}],"aliases":["CVE-2023-36258","GHSA-2qmj-7962-cjq8","PYSEC-2023-98"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8jk9-a8mt-mke3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/58351?format=json","vulnerability_id":"VCID-9879-hp1u-47ds","summary":"With the following crawler configuration:\n\n```python\nfrom bs4 import BeautifulSoup as Soup\n\nurl = \"https://example.com\"\nloader = RecursiveUrlLoader(\n    url=url, max_depth=2, extractor=lambda x: Soup(x, \"html.parser\").text\n)\ndocs = loader.load()\n```\n\nAn attacker in control of the contents of `https://example.com` could place a malicious HTML file in there with links like \"https://example.completely.different/my_file.html\" and the crawler would proceed to download that file as well even though `prevent_outside=True`.\n\nhttps://github.com/langchain-ai/langchain/blob/bf0b3cc0b5ade1fb95a5b1b6fa260e99064c2e22/libs/community/langchain_community/document_loaders/recursive_url_loader.py#L51-L51\n\nResolved in https://github.com/langchain-ai/langchain/pull/15559","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-0243","reference_id":"","reference_type":"","scores":[{"value":"0.00094","scoring_system":"epss","scoring_elements":"0.26218","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-0243"},{"reference_url":"https://github.com/langchain-ai/langchain/blob/bf0b3cc0b5ade1fb95a5b1b6fa260e99064c2e22/libs/community/langchain_community/document_loaders/recursive_url_loader.py#L51-L51","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/blob/bf0b3cc0b5ade1fb95a5b1b6fa260e99064c2e22/libs/community/langchain_community/document_loaders/recursive_url_loader.py#L51-L51"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain-exa/PYSEC-2024-235.yaml","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain-exa/PYSEC-2024-235.yaml"},{"reference_url":"https://github.com/langchain-ai/langchain/pull/15559","reference_id":"15559","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-26T18:43:11Z/"}],"url":"https://github.com/langchain-ai/langchain/pull/15559"},{"reference_url":"https://huntr.com/bounties/370904e7-10ac-40a4-a8d4-e2d16e1ca861","reference_id":"370904e7-10ac-40a4-a8d4-e2d16e1ca861","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-26T18:43:11Z/"}],"url":"https://huntr.com/bounties/370904e7-10ac-40a4-a8d4-e2d16e1ca861"},{"reference_url":"https://github.com/langchain-ai/langchain/commit/bf0b3cc0b5ade1fb95a5b1b6fa260e99064c2e22","reference_id":"bf0b3cc0b5ade1fb95a5b1b6fa260e99064c2e22","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-26T18:43:11Z/"}],"url":"https://github.com/langchain-ai/langchain/commit/bf0b3cc0b5ade1fb95a5b1b6fa260e99064c2e22"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-0243","reference_id":"CVE-2024-0243","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-0243"},{"reference_url":"https://github.com/advisories/GHSA-h9j7-5xvc-qhg5","reference_id":"GHSA-h9j7-5xvc-qhg5","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-h9j7-5xvc-qhg5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/29315?format=json","purl":"pkg:pypi/langchain@0.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2rhm-rh9f-13b7"},{"vulnerability":"VCID-9jxh-pfnm-w7gk"},{"vulnerability":"VCID-cx6s-pyn2-cqcj"},{"vulnerability":"VCID-d5qc-zvmu-rkde"},{"vulnerability":"VCID-enm9-kr4g-hbbz"},{"vulnerability":"VCID-hxnj-z9jr-kue7"},{"vulnerability":"VCID-uhwf-4hp8-63gv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.1.0"}],"aliases":["CVE-2024-0243","GHSA-h9j7-5xvc-qhg5","PYSEC-2024-235"],"risk_score":3.6,"exploitability":"0.5","weighted_severity":"7.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9879-hp1u-47ds"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38824?format=json","vulnerability_id":"VCID-9jxh-pfnm-w7gk","summary":"A vulnerability in the FAISS.deserialize_from_bytes function of langchain-ai/langchain allows for pickle deserialization of untrusted data. This can lead to the execution of arbitrary commands via the os.system function. The issue affects the latest version of the product.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-5998","reference_id":"","reference_type":"","scores":[{"value":"0.0009","scoring_system":"epss","scoring_elements":"0.25571","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-5998"},{"reference_url":"https://github.com/langchain-ai/langchain/commit/77209f315efd13442ec51c67719ba37dfaa44511","reference_id":"","reference_type":"","scores":[{"value":"5.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L"},{"value":"8.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/commit/77209f315efd13442ec51c67719ba37dfaa44511"},{"reference_url":"https://github.com/langchain-ai/langchain/commit/604dfe2d99246b0c09f047c604f0c63eafba31e7","reference_id":"604dfe2d99246b0c09f047c604f0c63eafba31e7","reference_type":"","scores":[{"value":"5.2","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L"},{"value":"5.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L"},{"value":"8.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-17T13:28:59Z/"}],"url":"https://github.com/langchain-ai/langchain/commit/604dfe2d99246b0c09f047c604f0c63eafba31e7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-5998","reference_id":"CVE-2024-5998","reference_type":"","scores":[{"value":"5.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L"},{"value":"8.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-5998"},{"reference_url":"https://huntr.com/bounties/fa3a2753-57c3-4e08-a176-d7a3ffda28fe","reference_id":"fa3a2753-57c3-4e08-a176-d7a3ffda28fe","reference_type":"","scores":[{"value":"5.2","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L"},{"value":"5.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L"},{"value":"8.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-17T13:28:59Z/"}],"url":"https://huntr.com/bounties/fa3a2753-57c3-4e08-a176-d7a3ffda28fe"},{"reference_url":"https://github.com/advisories/GHSA-f2jm-rw3h-6phg","reference_id":"GHSA-f2jm-rw3h-6phg","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f2jm-rw3h-6phg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/86193?format=json","purl":"pkg:pypi/langchain@0.2.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-enm9-kr4g-hbbz"},{"vulnerability":"VCID-uhwf-4hp8-63gv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.2.10"}],"aliases":["CVE-2024-5998","GHSA-f2jm-rw3h-6phg"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9jxh-pfnm-w7gk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/142284?format=json","vulnerability_id":"VCID-9yh8-14yh-abhr","summary":"Langchain 0.0.171 is vulnerable to Arbitrary code execution in load_prompt.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-34541","reference_id":"","reference_type":"","scores":[{"value":"0.00166","scoring_system":"epss","scoring_elements":"0.37396","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-34541"},{"reference_url":"https://github.com/advisories/GHSA-6643-h7h5-x9wh","reference_id":"","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6643-h7h5-x9wh"},{"reference_url":"https://github.com/langchain-ai/langchain/commit/fab24457bcf8ede882abd11419769c92bc4e7751","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/commit/fab24457bcf8ede882abd11419769c92bc4e7751"},{"reference_url":"https://github.com/langchain-ai/langchain/issues/4849","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/issues/4849"},{"reference_url":"https://github.com/langchain-ai/langchain/issues/4849#issuecomment-1697896569","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/issues/4849#issuecomment-1697896569"},{"reference_url":"https://github.com/langchain-ai/langchain/pull/8425","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/pull/8425"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-92.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-92.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34541","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34541"},{"reference_url":"https://github.com/hwchase17/langchain/issues/4849","reference_id":"4849","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-12-09T21:10:29Z/"}],"url":"https://github.com/hwchase17/langchain/issues/4849"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/76572?format=json","purl":"pkg:pypi/langchain@0.0.247","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1618-rc62-rke9"},{"vulnerability":"VCID-2rhm-rh9f-13b7"},{"vulnerability":"VCID-449d-vdfh-x7fd"},{"vulnerability":"VCID-9879-hp1u-47ds"},{"vulnerability":"VCID-9jxh-pfnm-w7gk"},{"vulnerability":"VCID-cx6s-pyn2-cqcj"},{"vulnerability":"VCID-d5qc-zvmu-rkde"},{"vulnerability":"VCID-enm9-kr4g-hbbz"},{"vulnerability":"VCID-hxnj-z9jr-kue7"},{"vulnerability":"VCID-qvyx-jcxw-sbdh"},{"vulnerability":"VCID-s4wf-9m6c-8yay"},{"vulnerability":"VCID-tvj5-fy4j-yqar"},{"vulnerability":"VCID-uhwf-4hp8-63gv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.247"}],"aliases":["CVE-2023-34541","GHSA-6643-h7h5-x9wh","PYSEC-2023-92"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9yh8-14yh-abhr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/64034?format=json","vulnerability_id":"VCID-cx6s-pyn2-cqcj","summary":"A Server-Side Request Forgery (SSRF) vulnerability exists in the Web Research Retriever component of langchain-ai/langchain version 0.1.5. The vulnerability arises because the Web Research Retriever does not restrict requests to remote internet addresses, allowing it to reach local addresses. This flaw enables attackers to execute port scans, access local services, and in some scenarios, read instance metadata from cloud environments. The vulnerability is particularly concerning as it can be exploited to abuse the Web Explorer server as a proxy for web attacks on third parties and interact with servers in the local network, including reading their response data. This could potentially lead to arbitrary code execution, depending on the nature of the local services. The vulnerability is limited to GET requests, as POST requests are not possible, but the impact on confidentiality, integrity, and availability is significant due to the potential for stolen credentials and state-changing interactions with internal APIs.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-3095","reference_id":"","reference_type":"","scores":[{"value":"0.00163","scoring_system":"epss","scoring_elements":"0.37018","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-3095"},{"reference_url":"https://github.com/langchain-ai/langchain/pull/24451","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:P/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/pull/24451"},{"reference_url":"https://github.com/langchain-ai/langchain/releases/tag/langchain-community%3D%3D0.2.9","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:P/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/releases/tag/langchain-community%3D%3D0.2.9"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-3095","reference_id":"CVE-2024-3095","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:P/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-3095"},{"reference_url":"https://huntr.com/bounties/e62d4895-2901-405b-9559-38276b6a5273","reference_id":"e62d4895-2901-405b-9559-38276b6a5273","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:P/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:P/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-07T18:54:30Z/"}],"url":"https://huntr.com/bounties/e62d4895-2901-405b-9559-38276b6a5273"},{"reference_url":"https://github.com/advisories/GHSA-q25c-c977-4cmh","reference_id":"GHSA-q25c-c977-4cmh","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q25c-c977-4cmh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/83108?format=json","purl":"pkg:pypi/langchain@0.1.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2rhm-rh9f-13b7"},{"vulnerability":"VCID-9jxh-pfnm-w7gk"},{"vulnerability":"VCID-d5qc-zvmu-rkde"},{"vulnerability":"VCID-enm9-kr4g-hbbz"},{"vulnerability":"VCID-hxnj-z9jr-kue7"},{"vulnerability":"VCID-uhwf-4hp8-63gv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.1.6"}],"aliases":["CVE-2024-3095","GHSA-q25c-c977-4cmh"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cx6s-pyn2-cqcj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/63275?format=json","vulnerability_id":"VCID-d5qc-zvmu-rkde","summary":"A Denial-of-Service (DoS) vulnerability exists in the `SitemapLoader` class of the `langchain-ai/langchain` repository, affecting all versions. The `parse_sitemap` method, responsible for parsing sitemaps and extracting URLs, lacks a mechanism to prevent infinite recursion when a sitemap URL refers to the current sitemap itself. This oversight allows for the possibility of an infinite loop, leading to a crash by exceeding the maximum recursion depth in Python. This vulnerability can be exploited to occupy server socket/port resources and crash the Python process, impacting the availability of services relying on this functionality.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-2965.json","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-2965.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-2965","reference_id":"","reference_type":"","scores":[{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11719","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-2965"},{"reference_url":"https://github.com/langchain-ai/langchain/commit/9a877c7adbd06f90a2518152f65b562bd90487cc","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/commit/9a877c7adbd06f90a2518152f65b562bd90487cc"},{"reference_url":"https://github.com/langchain-ai/langchain/pull/22903","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/pull/22903"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2024-118.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2024-118.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2373306","reference_id":"2373306","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2373306"},{"reference_url":"https://github.com/langchain-ai/langchain/commit/73c42306745b0831aa6fe7fe4eeb70d2c2d87a82","reference_id":"73c42306745b0831aa6fe7fe4eeb70d2c2d87a82","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-07T13:30:27Z/"}],"url":"https://github.com/langchain-ai/langchain/commit/73c42306745b0831aa6fe7fe4eeb70d2c2d87a82"},{"reference_url":"https://huntr.com/bounties/90b0776d-9fa6-4841-aac4-09fde5918cae","reference_id":"90b0776d-9fa6-4841-aac4-09fde5918cae","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-07T13:30:27Z/"}],"url":"https://huntr.com/bounties/90b0776d-9fa6-4841-aac4-09fde5918cae"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-2965","reference_id":"CVE-2024-2965","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-2965"},{"reference_url":"https://github.com/advisories/GHSA-3hjh-jh2h-vrg6","reference_id":"GHSA-3hjh-jh2h-vrg6","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3hjh-jh2h-vrg6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32037?format=json","purl":"pkg:pypi/langchain@0.2.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9jxh-pfnm-w7gk"},{"vulnerability":"VCID-enm9-kr4g-hbbz"},{"vulnerability":"VCID-uhwf-4hp8-63gv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.2.5"}],"aliases":["CVE-2024-2965","GHSA-3hjh-jh2h-vrg6","PYSEC-2024-118"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-d5qc-zvmu-rkde"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360837?format=json","vulnerability_id":"VCID-dg53-vte1-zyfy","summary":"Langchain SQL Injection vulnerability\nIn Langchain before 0.0.247, prompt injection allows execution of arbitrary code against the SQL service provided by the chain.","references":[{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32785","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32785"},{"reference_url":"https://github.com/advisories/GHSA-8h5w-f6q9-wg35","reference_id":"GHSA-8h5w-f6q9-wg35","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8h5w-f6q9-wg35"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/76572?format=json","purl":"pkg:pypi/langchain@0.0.247","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1618-rc62-rke9"},{"vulnerability":"VCID-2rhm-rh9f-13b7"},{"vulnerability":"VCID-449d-vdfh-x7fd"},{"vulnerability":"VCID-9879-hp1u-47ds"},{"vulnerability":"VCID-9jxh-pfnm-w7gk"},{"vulnerability":"VCID-cx6s-pyn2-cqcj"},{"vulnerability":"VCID-d5qc-zvmu-rkde"},{"vulnerability":"VCID-enm9-kr4g-hbbz"},{"vulnerability":"VCID-hxnj-z9jr-kue7"},{"vulnerability":"VCID-qvyx-jcxw-sbdh"},{"vulnerability":"VCID-s4wf-9m6c-8yay"},{"vulnerability":"VCID-tvj5-fy4j-yqar"},{"vulnerability":"VCID-uhwf-4hp8-63gv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.247"}],"aliases":["CVE-2023-32785","GHSA-8h5w-f6q9-wg35"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dg53-vte1-zyfy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/143132?format=json","vulnerability_id":"VCID-ebf6-jbty-7bbr","summary":"In Langchain through 0.0.155, prompt injection allows an attacker to force the service to retrieve data from an arbitrary URL, essentially providing SSRF and potentially injecting content into downstream tasks.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-32786","reference_id":"","reference_type":"","scores":[{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33167","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-32786"},{"reference_url":"https://github.com/langchain-ai/langchain/pull/12747","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/pull/12747"},{"reference_url":"https://github.com/langchain-ai/langchain/releases/tag/v0.0.329","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/releases/tag/v0.0.329"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32786","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32786"},{"reference_url":"https://gist.github.com/rharang/d265f46fc3161b31ac2e81db44d662e1","reference_id":"d265f46fc3161b31ac2e81db44d662e1","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-12T17:54:35Z/"}],"url":"https://gist.github.com/rharang/d265f46fc3161b31ac2e81db44d662e1"},{"reference_url":"https://github.com/advisories/GHSA-6h8p-4hx9-w66c","reference_id":"GHSA-6h8p-4hx9-w66c","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6h8p-4hx9-w66c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/76479?format=json","purl":"pkg:pypi/langchain@0.0.156","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1618-rc62-rke9"},{"vulnerability":"VCID-2rhm-rh9f-13b7"},{"vulnerability":"VCID-449d-vdfh-x7fd"},{"vulnerability":"VCID-8jk9-a8mt-mke3"},{"vulnerability":"VCID-9879-hp1u-47ds"},{"vulnerability":"VCID-9jxh-pfnm-w7gk"},{"vulnerability":"VCID-9yh8-14yh-abhr"},{"vulnerability":"VCID-cx6s-pyn2-cqcj"},{"vulnerability":"VCID-d5qc-zvmu-rkde"},{"vulnerability":"VCID-dg53-vte1-zyfy"},{"vulnerability":"VCID-enm9-kr4g-hbbz"},{"vulnerability":"VCID-h3je-vmhg-x7bv"},{"vulnerability":"VCID-hxnj-z9jr-kue7"},{"vulnerability":"VCID-jpa5-z25b-u3d3"},{"vulnerability":"VCID-n4zy-w2mg-f3hx"},{"vulnerability":"VCID-qkx6-aewg-ryhb"},{"vulnerability":"VCID-qvyx-jcxw-sbdh"},{"vulnerability":"VCID-s4wf-9m6c-8yay"},{"vulnerability":"VCID-tvj5-fy4j-yqar"},{"vulnerability":"VCID-uhwf-4hp8-63gv"},{"vulnerability":"VCID-vrea-ew6n-vyf9"},{"vulnerability":"VCID-zh5c-9jvd-jfhz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.156"},{"url":"http://public2.vulnerablecode.io/api/packages/83069?format=json","purl":"pkg:pypi/langchain@0.0.329","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2rhm-rh9f-13b7"},{"vulnerability":"VCID-449d-vdfh-x7fd"},{"vulnerability":"VCID-9879-hp1u-47ds"},{"vulnerability":"VCID-9jxh-pfnm-w7gk"},{"vulnerability":"VCID-cx6s-pyn2-cqcj"},{"vulnerability":"VCID-d5qc-zvmu-rkde"},{"vulnerability":"VCID-enm9-kr4g-hbbz"},{"vulnerability":"VCID-hxnj-z9jr-kue7"},{"vulnerability":"VCID-uhwf-4hp8-63gv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.329"}],"aliases":["CVE-2023-32786","GHSA-6h8p-4hx9-w66c"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ebf6-jbty-7bbr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70061?format=json","vulnerability_id":"VCID-enm9-kr4g-hbbz","summary":"LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to LangSmith SDK Python 0.8.0 and JS/TS 0.6.0, the LangSmith SDK's prompt pull methods (pull_prompt / pull_prompt_commit in Python, pullPrompt / pullPromptCommit in JS/TS) fetch and deserialize prompt manifests from the LangSmith Hub. These manifests may contain serialized LangChain objects and model configuration that affect runtime behavior. When pulling a public prompt by owner/name identifier, the manifest content is controlled by an external party, but prior versions of the SDK did not distinguish this from pulling a prompt within the caller's own organization. This vulnerability is fixed in LangSmith SDK Python 0.8.0 and JS/TS 0.6.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-45134","reference_id":"","reference_type":"","scores":[{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11071","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-45134"},{"reference_url":"https://github.com/langchain-ai/langsmith-sdk","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langsmith-sdk"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45134","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45134"},{"reference_url":"https://github.com/advisories/GHSA-3644-q5cj-c5c7","reference_id":"GHSA-3644-q5cj-c5c7","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3644-q5cj-c5c7"},{"reference_url":"https://github.com/langchain-ai/langsmith-sdk/security/advisories/GHSA-3644-q5cj-c5c7","reference_id":"GHSA-3644-q5cj-c5c7","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-02T18:13:39Z/"}],"url":"https://github.com/langchain-ai/langsmith-sdk/security/advisories/GHSA-3644-q5cj-c5c7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/376149?format=json","purl":"pkg:pypi/langchain@0.3.30","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.3.30"}],"aliases":["CVE-2026-45134","GHSA-3644-q5cj-c5c7"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-enm9-kr4g-hbbz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/131880?format=json","vulnerability_id":"VCID-h3je-vmhg-x7bv","summary":"An issue in Harrison Chase langchain v.0.0.194 and before allows a remote attacker to execute arbitrary code via the from_math_prompt and from_colored_object_prompt functions.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-38896","reference_id":"","reference_type":"","scores":[{"value":"0.01059","scoring_system":"epss","scoring_elements":"0.78045","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-38896"},{"reference_url":"https://github.com/advisories/GHSA-92j5-3459-qgp4","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-92j5-3459-qgp4"},{"reference_url":"https://github.com/langchain-ai/langchain/commit/8ba9835b925473655914f63822775679e03ea137","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/commit/8ba9835b925473655914f63822775679e03ea137"},{"reference_url":"https://github.com/langchain-ai/langchain/commit/e294ba475a355feb95003ed8f1a2b99942509a9e","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/commit/e294ba475a355feb95003ed8f1a2b99942509a9e"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-146.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-146.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-38896","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-38896"},{"reference_url":"https://twitter.com/llm_sec/status/1668711587287375876","reference_id":"1668711587287375876","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-10-09T13:02:00Z/"}],"url":"https://twitter.com/llm_sec/status/1668711587287375876"},{"reference_url":"https://github.com/hwchase17/langchain/issues/5872","reference_id":"5872","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-10-09T13:02:00Z/"}],"url":"https://github.com/hwchase17/langchain/issues/5872"},{"reference_url":"https://github.com/hwchase17/langchain/pull/6003","reference_id":"6003","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-10-09T13:02:00Z/"}],"url":"https://github.com/hwchase17/langchain/pull/6003"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/76518?format=json","purl":"pkg:pypi/langchain@0.0.195","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1618-rc62-rke9"},{"vulnerability":"VCID-2rhm-rh9f-13b7"},{"vulnerability":"VCID-449d-vdfh-x7fd"},{"vulnerability":"VCID-8jk9-a8mt-mke3"},{"vulnerability":"VCID-9879-hp1u-47ds"},{"vulnerability":"VCID-9jxh-pfnm-w7gk"},{"vulnerability":"VCID-9yh8-14yh-abhr"},{"vulnerability":"VCID-cx6s-pyn2-cqcj"},{"vulnerability":"VCID-d5qc-zvmu-rkde"},{"vulnerability":"VCID-dg53-vte1-zyfy"},{"vulnerability":"VCID-enm9-kr4g-hbbz"},{"vulnerability":"VCID-h3je-vmhg-x7bv"},{"vulnerability":"VCID-hxnj-z9jr-kue7"},{"vulnerability":"VCID-jpa5-z25b-u3d3"},{"vulnerability":"VCID-n4zy-w2mg-f3hx"},{"vulnerability":"VCID-qkx6-aewg-ryhb"},{"vulnerability":"VCID-qvyx-jcxw-sbdh"},{"vulnerability":"VCID-s4wf-9m6c-8yay"},{"vulnerability":"VCID-tvj5-fy4j-yqar"},{"vulnerability":"VCID-uhwf-4hp8-63gv"},{"vulnerability":"VCID-vrea-ew6n-vyf9"},{"vulnerability":"VCID-zh5c-9jvd-jfhz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.195"},{"url":"http://public2.vulnerablecode.io/api/packages/76559?format=json","purl":"pkg:pypi/langchain@0.0.236","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1618-rc62-rke9"},{"vulnerability":"VCID-2rhm-rh9f-13b7"},{"vulnerability":"VCID-449d-vdfh-x7fd"},{"vulnerability":"VCID-8jk9-a8mt-mke3"},{"vulnerability":"VCID-9879-hp1u-47ds"},{"vulnerability":"VCID-9jxh-pfnm-w7gk"},{"vulnerability":"VCID-9yh8-14yh-abhr"},{"vulnerability":"VCID-cx6s-pyn2-cqcj"},{"vulnerability":"VCID-d5qc-zvmu-rkde"},{"vulnerability":"VCID-dg53-vte1-zyfy"},{"vulnerability":"VCID-enm9-kr4g-hbbz"},{"vulnerability":"VCID-hxnj-z9jr-kue7"},{"vulnerability":"VCID-jpa5-z25b-u3d3"},{"vulnerability":"VCID-n4zy-w2mg-f3hx"},{"vulnerability":"VCID-qvyx-jcxw-sbdh"},{"vulnerability":"VCID-s4wf-9m6c-8yay"},{"vulnerability":"VCID-tvj5-fy4j-yqar"},{"vulnerability":"VCID-uhwf-4hp8-63gv"},{"vulnerability":"VCID-zh5c-9jvd-jfhz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.236"}],"aliases":["CVE-2023-38896","GHSA-92j5-3459-qgp4","PYSEC-2023-146"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-h3je-vmhg-x7bv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/34421?format=json","vulnerability_id":"VCID-hxnj-z9jr-kue7","summary":"A vulnerability in the GraphCypherQAChain class of langchain-ai/langchain version 0.2.5 allows for SQL injection through prompt injection. This vulnerability can lead to unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-8309.json","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-8309.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-8309","reference_id":"","reference_type":"","scores":[{"value":"0.02002","scoring_system":"epss","scoring_elements":"0.84044","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-8309"},{"reference_url":"https://github.com/advisories/GHSA-45pg-36p6-83v9","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://github.com/advisories/GHSA-45pg-36p6-83v9"},{"reference_url":"https://github.com/langchain-ai/langchain/commit/64c317eba05fbac0c6a6fc5aa192bc0d7130972e","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/commit/64c317eba05fbac0c6a6fc5aa192bc0d7130972e"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2024-115.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2024-115.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-8309","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-8309"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2322452","reference_id":"2322452","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2322452"},{"reference_url":"https://huntr.com/bounties/8f4ad910-7fdc-4089-8f0a-b5df5f32e7c5","reference_id":"8f4ad910-7fdc-4089-8f0a-b5df5f32e7c5","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-29T13:50:16Z/"}],"url":"https://huntr.com/bounties/8f4ad910-7fdc-4089-8f0a-b5df5f32e7c5"},{"reference_url":"https://github.com/langchain-ai/langchain/commit/c2a3021bb0c5f54649d380b42a0684ca5778c255","reference_id":"c2a3021bb0c5f54649d380b42a0684ca5778c255","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-29T13:50:16Z/"}],"url":"https://github.com/langchain-ai/langchain/commit/c2a3021bb0c5f54649d380b42a0684ca5778c255"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/83759?format=json","purl":"pkg:pypi/langchain@0.2.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9jxh-pfnm-w7gk"},{"vulnerability":"VCID-d5qc-zvmu-rkde"},{"vulnerability":"VCID-enm9-kr4g-hbbz"},{"vulnerability":"VCID-uhwf-4hp8-63gv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.2.0"}],"aliases":["CVE-2024-8309","GHSA-45pg-36p6-83v9","PYSEC-2024-115"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hxnj-z9jr-kue7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/136789?format=json","vulnerability_id":"VCID-jpa5-z25b-u3d3","summary":"SQL injection vulnerability in langchain before v0.0.247 allows a remote attacker to obtain sensitive information via the SQLDatabaseChain component.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-36189","reference_id":"","reference_type":"","scores":[{"value":"0.00163","scoring_system":"epss","scoring_elements":"0.37042","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-36189"},{"reference_url":"https://github.com/advisories/GHSA-7q94-qpjr-xpgm","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7q94-qpjr-xpgm"},{"reference_url":"https://github.com/langchain-ai/langchain/commit/fab24457bcf8ede882abd11419769c92bc4e7751","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/commit/fab24457bcf8ede882abd11419769c92bc4e7751"},{"reference_url":"https://github.com/langchain-ai/langchain/issues/5923","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/issues/5923"},{"reference_url":"https://github.com/langchain-ai/langchain/pull/8425","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/pull/8425"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-110.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-110.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-36189","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-36189"},{"reference_url":"https://github.com/hwchase17/langchain/issues/5923","reference_id":"5923","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:29:03Z/"}],"url":"https://github.com/hwchase17/langchain/issues/5923"},{"reference_url":"https://github.com/langchain-ai/langchain/issues/5923#issuecomment-1696053841","reference_id":"5923#issuecomment-1696053841","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:29:03Z/"}],"url":"https://github.com/langchain-ai/langchain/issues/5923#issuecomment-1696053841"},{"reference_url":"https://github.com/hwchase17/langchain/pull/6051","reference_id":"6051","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:29:03Z/"}],"url":"https://github.com/hwchase17/langchain/pull/6051"},{"reference_url":"https://gist.github.com/rharang/9c58d39db8c01db5b7c888e467c0533f","reference_id":"9c58d39db8c01db5b7c888e467c0533f","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:29:03Z/"}],"url":"https://gist.github.com/rharang/9c58d39db8c01db5b7c888e467c0533f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/76572?format=json","purl":"pkg:pypi/langchain@0.0.247","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1618-rc62-rke9"},{"vulnerability":"VCID-2rhm-rh9f-13b7"},{"vulnerability":"VCID-449d-vdfh-x7fd"},{"vulnerability":"VCID-9879-hp1u-47ds"},{"vulnerability":"VCID-9jxh-pfnm-w7gk"},{"vulnerability":"VCID-cx6s-pyn2-cqcj"},{"vulnerability":"VCID-d5qc-zvmu-rkde"},{"vulnerability":"VCID-enm9-kr4g-hbbz"},{"vulnerability":"VCID-hxnj-z9jr-kue7"},{"vulnerability":"VCID-qvyx-jcxw-sbdh"},{"vulnerability":"VCID-s4wf-9m6c-8yay"},{"vulnerability":"VCID-tvj5-fy4j-yqar"},{"vulnerability":"VCID-uhwf-4hp8-63gv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.247"}],"aliases":["CVE-2023-36189","GHSA-7q94-qpjr-xpgm","PYSEC-2023-110"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jpa5-z25b-u3d3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/136383?format=json","vulnerability_id":"VCID-n4zy-w2mg-f3hx","summary":"An issue in langchain v.0.0.64 allows a remote attacker to execute arbitrary code via the PALChain parameter in the Python exec method.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-36188","reference_id":"","reference_type":"","scores":[{"value":"0.11195","scoring_system":"epss","scoring_elements":"0.93669","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-36188"},{"reference_url":"https://github.com/advisories/GHSA-57fc-8q82-gfp3","reference_id":"","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-57fc-8q82-gfp3"},{"reference_url":"https://github.com/langchain-ai/langchain/commit/e294ba475a355feb95003ed8f1a2b99942509a9e","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/commit/e294ba475a355feb95003ed8f1a2b99942509a9e"},{"reference_url":"https://github.com/langchain-ai/langchain/pull/6003","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/pull/6003"},{"reference_url":"https://github.com/langchain-ai/langchain/pull/8425","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/pull/8425"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-109.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-109.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-36188","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-36188"},{"reference_url":"https://github.com/hwchase17/langchain/issues/5872","reference_id":"5872","reference_type":"","scores":[{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-11-19T19:03:12Z/"}],"url":"https://github.com/hwchase17/langchain/issues/5872"},{"reference_url":"https://github.com/hwchase17/langchain/pull/6003","reference_id":"6003","reference_type":"","scores":[{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-11-19T19:03:12Z/"}],"url":"https://github.com/hwchase17/langchain/pull/6003"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/75519?format=json","purl":"pkg:pypi/langchain@0.0.65","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1618-rc62-rke9"},{"vulnerability":"VCID-2rhm-rh9f-13b7"},{"vulnerability":"VCID-449d-vdfh-x7fd"},{"vulnerability":"VCID-8jk9-a8mt-mke3"},{"vulnerability":"VCID-9879-hp1u-47ds"},{"vulnerability":"VCID-9jxh-pfnm-w7gk"},{"vulnerability":"VCID-9yh8-14yh-abhr"},{"vulnerability":"VCID-cx6s-pyn2-cqcj"},{"vulnerability":"VCID-d5qc-zvmu-rkde"},{"vulnerability":"VCID-dg53-vte1-zyfy"},{"vulnerability":"VCID-ebf6-jbty-7bbr"},{"vulnerability":"VCID-enm9-kr4g-hbbz"},{"vulnerability":"VCID-h3je-vmhg-x7bv"},{"vulnerability":"VCID-hxnj-z9jr-kue7"},{"vulnerability":"VCID-jpa5-z25b-u3d3"},{"vulnerability":"VCID-n4zy-w2mg-f3hx"},{"vulnerability":"VCID-qkx6-aewg-ryhb"},{"vulnerability":"VCID-qq81-myur-z7f9"},{"vulnerability":"VCID-qvyx-jcxw-sbdh"},{"vulnerability":"VCID-s4wf-9m6c-8yay"},{"vulnerability":"VCID-tvj5-fy4j-yqar"},{"vulnerability":"VCID-uhwf-4hp8-63gv"},{"vulnerability":"VCID-vrea-ew6n-vyf9"},{"vulnerability":"VCID-zh5c-9jvd-jfhz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.65"},{"url":"http://public2.vulnerablecode.io/api/packages/76559?format=json","purl":"pkg:pypi/langchain@0.0.236","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1618-rc62-rke9"},{"vulnerability":"VCID-2rhm-rh9f-13b7"},{"vulnerability":"VCID-449d-vdfh-x7fd"},{"vulnerability":"VCID-8jk9-a8mt-mke3"},{"vulnerability":"VCID-9879-hp1u-47ds"},{"vulnerability":"VCID-9jxh-pfnm-w7gk"},{"vulnerability":"VCID-9yh8-14yh-abhr"},{"vulnerability":"VCID-cx6s-pyn2-cqcj"},{"vulnerability":"VCID-d5qc-zvmu-rkde"},{"vulnerability":"VCID-dg53-vte1-zyfy"},{"vulnerability":"VCID-enm9-kr4g-hbbz"},{"vulnerability":"VCID-hxnj-z9jr-kue7"},{"vulnerability":"VCID-jpa5-z25b-u3d3"},{"vulnerability":"VCID-n4zy-w2mg-f3hx"},{"vulnerability":"VCID-qvyx-jcxw-sbdh"},{"vulnerability":"VCID-s4wf-9m6c-8yay"},{"vulnerability":"VCID-tvj5-fy4j-yqar"},{"vulnerability":"VCID-uhwf-4hp8-63gv"},{"vulnerability":"VCID-zh5c-9jvd-jfhz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.236"},{"url":"http://public2.vulnerablecode.io/api/packages/76572?format=json","purl":"pkg:pypi/langchain@0.0.247","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1618-rc62-rke9"},{"vulnerability":"VCID-2rhm-rh9f-13b7"},{"vulnerability":"VCID-449d-vdfh-x7fd"},{"vulnerability":"VCID-9879-hp1u-47ds"},{"vulnerability":"VCID-9jxh-pfnm-w7gk"},{"vulnerability":"VCID-cx6s-pyn2-cqcj"},{"vulnerability":"VCID-d5qc-zvmu-rkde"},{"vulnerability":"VCID-enm9-kr4g-hbbz"},{"vulnerability":"VCID-hxnj-z9jr-kue7"},{"vulnerability":"VCID-qvyx-jcxw-sbdh"},{"vulnerability":"VCID-s4wf-9m6c-8yay"},{"vulnerability":"VCID-tvj5-fy4j-yqar"},{"vulnerability":"VCID-uhwf-4hp8-63gv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.247"}],"aliases":["CVE-2023-36188","GHSA-57fc-8q82-gfp3","PYSEC-2023-109"],"risk_score":0.1,"exploitability":"0.5","weighted_severity":"0.1","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-n4zy-w2mg-f3hx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/218335?format=json","vulnerability_id":"VCID-qkx6-aewg-ryhb","summary":"Langchain 0.0.171 is vulnerable to Arbitrary Code Execution.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-34540","reference_id":"","reference_type":"","scores":[{"value":"0.0187","scoring_system":"epss","scoring_elements":"0.83513","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-34540"},{"reference_url":"https://github.com/advisories/GHSA-x32c-59v5-h7fg","reference_id":"","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x32c-59v5-h7fg"},{"reference_url":"https://github.com/hwchase17/langchain/issues/4833","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/hwchase17/langchain/issues/4833"},{"reference_url":"https://github.com/langchain-ai/langchain/commit/a2f191a32229256dd41deadf97786fe41ce04cbb","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/commit/a2f191a32229256dd41deadf97786fe41ce04cbb"},{"reference_url":"https://github.com/langchain-ai/langchain/issues/4833","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/issues/4833"},{"reference_url":"https://github.com/langchain-ai/langchain/pull/6992","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/pull/6992"},{"reference_url":"https://github.com/langchain-ai/langchain/releases/tag/v0.0.225","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/releases/tag/v0.0.225"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-91.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-91.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34540","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34540"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/76548?format=json","purl":"pkg:pypi/langchain@0.0.225","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1618-rc62-rke9"},{"vulnerability":"VCID-2rhm-rh9f-13b7"},{"vulnerability":"VCID-449d-vdfh-x7fd"},{"vulnerability":"VCID-8jk9-a8mt-mke3"},{"vulnerability":"VCID-9879-hp1u-47ds"},{"vulnerability":"VCID-9jxh-pfnm-w7gk"},{"vulnerability":"VCID-9yh8-14yh-abhr"},{"vulnerability":"VCID-cx6s-pyn2-cqcj"},{"vulnerability":"VCID-d5qc-zvmu-rkde"},{"vulnerability":"VCID-dg53-vte1-zyfy"},{"vulnerability":"VCID-enm9-kr4g-hbbz"},{"vulnerability":"VCID-h3je-vmhg-x7bv"},{"vulnerability":"VCID-hxnj-z9jr-kue7"},{"vulnerability":"VCID-jpa5-z25b-u3d3"},{"vulnerability":"VCID-n4zy-w2mg-f3hx"},{"vulnerability":"VCID-qvyx-jcxw-sbdh"},{"vulnerability":"VCID-s4wf-9m6c-8yay"},{"vulnerability":"VCID-tvj5-fy4j-yqar"},{"vulnerability":"VCID-uhwf-4hp8-63gv"},{"vulnerability":"VCID-vrea-ew6n-vyf9"},{"vulnerability":"VCID-zh5c-9jvd-jfhz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.225"}],"aliases":["CVE-2023-34540","GHSA-x32c-59v5-h7fg","PYSEC-2023-91"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qkx6-aewg-ryhb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/140529?format=json","vulnerability_id":"VCID-qq81-myur-z7f9","summary":"In LangChain through 0.0.131, the LLMMathChain chain allows prompt injection attacks that can execute arbitrary code via the Python exec method.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-29374","reference_id":"","reference_type":"","scores":[{"value":"0.03769","scoring_system":"epss","scoring_elements":"0.88308","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-29374"},{"reference_url":"https://github.com/advisories/GHSA-fprp-p869-w6q2","reference_id":"","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fprp-p869-w6q2"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-18.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-18.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-29374","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-29374"},{"reference_url":"https://twitter.com/rharang/status/1641899743608463365/photo/1","reference_id":"1","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-02-12T16:14:23Z/"}],"url":"https://twitter.com/rharang/status/1641899743608463365/photo/1"},{"reference_url":"https://github.com/hwchase17/langchain/issues/1026","reference_id":"1026","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-02-12T16:14:23Z/"}],"url":"https://github.com/hwchase17/langchain/issues/1026"},{"reference_url":"https://github.com/hwchase17/langchain/pull/1119","reference_id":"1119","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-02-12T16:14:23Z/"}],"url":"https://github.com/hwchase17/langchain/pull/1119"},{"reference_url":"https://github.com/hwchase17/langchain/issues/814","reference_id":"814","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-02-12T16:14:23Z/"}],"url":"https://github.com/hwchase17/langchain/issues/814"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/75589?format=json","purl":"pkg:pypi/langchain@0.0.132","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1618-rc62-rke9"},{"vulnerability":"VCID-2rhm-rh9f-13b7"},{"vulnerability":"VCID-449d-vdfh-x7fd"},{"vulnerability":"VCID-8jk9-a8mt-mke3"},{"vulnerability":"VCID-9879-hp1u-47ds"},{"vulnerability":"VCID-9jxh-pfnm-w7gk"},{"vulnerability":"VCID-9yh8-14yh-abhr"},{"vulnerability":"VCID-cx6s-pyn2-cqcj"},{"vulnerability":"VCID-d5qc-zvmu-rkde"},{"vulnerability":"VCID-dg53-vte1-zyfy"},{"vulnerability":"VCID-ebf6-jbty-7bbr"},{"vulnerability":"VCID-enm9-kr4g-hbbz"},{"vulnerability":"VCID-h3je-vmhg-x7bv"},{"vulnerability":"VCID-hxnj-z9jr-kue7"},{"vulnerability":"VCID-jpa5-z25b-u3d3"},{"vulnerability":"VCID-n4zy-w2mg-f3hx"},{"vulnerability":"VCID-qkx6-aewg-ryhb"},{"vulnerability":"VCID-qvyx-jcxw-sbdh"},{"vulnerability":"VCID-s4wf-9m6c-8yay"},{"vulnerability":"VCID-tvj5-fy4j-yqar"},{"vulnerability":"VCID-uhwf-4hp8-63gv"},{"vulnerability":"VCID-vrea-ew6n-vyf9"},{"vulnerability":"VCID-zh5c-9jvd-jfhz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.132"}],"aliases":["CVE-2023-29374","GHSA-fprp-p869-w6q2","PYSEC-2023-18"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qq81-myur-z7f9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/132569?format=json","vulnerability_id":"VCID-qvyx-jcxw-sbdh","summary":"LangChain before 0.0.317 allows SSRF via document_loaders/recursive_url_loader.py because crawling can proceed from an external server to an internal server.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-46229.json","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-46229.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-46229","reference_id":"","reference_type":"","scores":[{"value":"0.01752","scoring_system":"epss","scoring_elements":"0.82978","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-46229"},{"reference_url":"https://github.com/advisories/GHSA-655w-fm8m-m478","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-655w-fm8m-m478"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-205.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-205.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-46229","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-46229"},{"reference_url":"https://github.com/langchain-ai/langchain/pull/11925","reference_id":"11925","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-12T18:06:03Z/"}],"url":"https://github.com/langchain-ai/langchain/pull/11925"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2390135","reference_id":"2390135","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2390135"},{"reference_url":"https://github.com/langchain-ai/langchain/commit/9ecb7240a480720ec9d739b3877a52f76098a2b8","reference_id":"9ecb7240a480720ec9d739b3877a52f76098a2b8","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-12T18:06:03Z/"}],"url":"https://github.com/langchain-ai/langchain/commit/9ecb7240a480720ec9d739b3877a52f76098a2b8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/79527?format=json","purl":"pkg:pypi/langchain@0.0.317","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2rhm-rh9f-13b7"},{"vulnerability":"VCID-449d-vdfh-x7fd"},{"vulnerability":"VCID-9879-hp1u-47ds"},{"vulnerability":"VCID-9jxh-pfnm-w7gk"},{"vulnerability":"VCID-cx6s-pyn2-cqcj"},{"vulnerability":"VCID-d5qc-zvmu-rkde"},{"vulnerability":"VCID-enm9-kr4g-hbbz"},{"vulnerability":"VCID-hxnj-z9jr-kue7"},{"vulnerability":"VCID-uhwf-4hp8-63gv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.317"}],"aliases":["CVE-2023-46229","GHSA-655w-fm8m-m478","PYSEC-2023-205"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qvyx-jcxw-sbdh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/136626?format=json","vulnerability_id":"VCID-s4wf-9m6c-8yay","summary":"An issue in langchain v.0.0.171 allows a remote attacker to execute arbitrary code via a JSON file to load_prompt. This is related to __subclasses__ or a template.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-36281","reference_id":"","reference_type":"","scores":[{"value":"0.62245","scoring_system":"epss","scoring_elements":"0.98385","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-36281"},{"reference_url":"https://github.com/advisories/GHSA-7gfq-f96f-g85j","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7gfq-f96f-g85j"},{"reference_url":"https://github.com/langchain-ai/langchain/commit/22abeb9f6cc555591bf8e92b5e328e43aa07ff6c","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/commit/22abeb9f6cc555591bf8e92b5e328e43aa07ff6c"},{"reference_url":"https://github.com/langchain-ai/langchain/pull/10252","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/pull/10252"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-151.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-151.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-36281","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-36281"},{"reference_url":"https://github.com/hwchase17/langchain/issues/4394","reference_id":"4394","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2023-12-13T16:27:50Z/"}],"url":"https://github.com/hwchase17/langchain/issues/4394"},{"reference_url":"https://aisec.today/LangChain-2e6244a313dd46139c5ef28cbcab9e55","reference_id":"LangChain-2e6244a313dd46139c5ef28cbcab9e55","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2023-12-13T16:27:50Z/"}],"url":"https://aisec.today/LangChain-2e6244a313dd46139c5ef28cbcab9e55"},{"reference_url":"https://github.com/langchain-ai/langchain/releases/tag/v0.0.312","reference_id":"v0.0.312","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2023-12-13T16:27:50Z/"}],"url":"https://github.com/langchain-ai/langchain/releases/tag/v0.0.312"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/76494?format=json","purl":"pkg:pypi/langchain@0.0.171","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1618-rc62-rke9"},{"vulnerability":"VCID-2rhm-rh9f-13b7"},{"vulnerability":"VCID-449d-vdfh-x7fd"},{"vulnerability":"VCID-8jk9-a8mt-mke3"},{"vulnerability":"VCID-9879-hp1u-47ds"},{"vulnerability":"VCID-9jxh-pfnm-w7gk"},{"vulnerability":"VCID-9yh8-14yh-abhr"},{"vulnerability":"VCID-cx6s-pyn2-cqcj"},{"vulnerability":"VCID-d5qc-zvmu-rkde"},{"vulnerability":"VCID-dg53-vte1-zyfy"},{"vulnerability":"VCID-enm9-kr4g-hbbz"},{"vulnerability":"VCID-h3je-vmhg-x7bv"},{"vulnerability":"VCID-hxnj-z9jr-kue7"},{"vulnerability":"VCID-jpa5-z25b-u3d3"},{"vulnerability":"VCID-n4zy-w2mg-f3hx"},{"vulnerability":"VCID-qkx6-aewg-ryhb"},{"vulnerability":"VCID-qvyx-jcxw-sbdh"},{"vulnerability":"VCID-s4wf-9m6c-8yay"},{"vulnerability":"VCID-tvj5-fy4j-yqar"},{"vulnerability":"VCID-uhwf-4hp8-63gv"},{"vulnerability":"VCID-vrea-ew6n-vyf9"},{"vulnerability":"VCID-zh5c-9jvd-jfhz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.171"},{"url":"http://public2.vulnerablecode.io/api/packages/79522?format=json","purl":"pkg:pypi/langchain@0.0.312","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2rhm-rh9f-13b7"},{"vulnerability":"VCID-449d-vdfh-x7fd"},{"vulnerability":"VCID-9879-hp1u-47ds"},{"vulnerability":"VCID-9jxh-pfnm-w7gk"},{"vulnerability":"VCID-cx6s-pyn2-cqcj"},{"vulnerability":"VCID-d5qc-zvmu-rkde"},{"vulnerability":"VCID-enm9-kr4g-hbbz"},{"vulnerability":"VCID-hxnj-z9jr-kue7"},{"vulnerability":"VCID-qvyx-jcxw-sbdh"},{"vulnerability":"VCID-uhwf-4hp8-63gv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.312"}],"aliases":["CVE-2023-36281","GHSA-7gfq-f96f-g85j","PYSEC-2023-151"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-s4wf-9m6c-8yay"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/139375?format=json","vulnerability_id":"VCID-tvj5-fy4j-yqar","summary":"An issue in LanChain-ai Langchain v.0.0.245 allows a remote attacker to execute arbitrary code via the evaluate function in the numexpr library.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-39631","reference_id":"","reference_type":"","scores":[{"value":"0.01754","scoring_system":"epss","scoring_elements":"0.82988","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-39631"},{"reference_url":"https://github.com/advisories/GHSA-f73w-4m7g-ch9x","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f73w-4m7g-ch9x"},{"reference_url":"https://github.com/langchain-ai/langchain/pull/11302","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/pull/11302"},{"reference_url":"https://github.com/langchain-ai/langchain/releases/tag/v0.0.308","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/releases/tag/v0.0.308"},{"reference_url":"https://github.com/pydata/numexpr/commit/4b2d89cf14e75030d27629925b9998e1e91d23c7","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pydata/numexpr/commit/4b2d89cf14e75030d27629925b9998e1e91d23c7"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-162.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-162.yaml"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/numexpr/PYSEC-2023-163.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/numexpr/PYSEC-2023-163.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-39631","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-39631"},{"reference_url":"https://github.com/pydata/numexpr/issues/442","reference_id":"442","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-10-01T13:18:27Z/"}],"url":"https://github.com/pydata/numexpr/issues/442"},{"reference_url":"https://github.com/langchain-ai/langchain/issues/8363","reference_id":"8363","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-10-01T13:18:27Z/"}],"url":"https://github.com/langchain-ai/langchain/issues/8363"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/78006?format=json","purl":"pkg:pypi/langchain@0.0.308","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2rhm-rh9f-13b7"},{"vulnerability":"VCID-449d-vdfh-x7fd"},{"vulnerability":"VCID-9879-hp1u-47ds"},{"vulnerability":"VCID-9jxh-pfnm-w7gk"},{"vulnerability":"VCID-cx6s-pyn2-cqcj"},{"vulnerability":"VCID-d5qc-zvmu-rkde"},{"vulnerability":"VCID-enm9-kr4g-hbbz"},{"vulnerability":"VCID-hxnj-z9jr-kue7"},{"vulnerability":"VCID-qvyx-jcxw-sbdh"},{"vulnerability":"VCID-uhwf-4hp8-63gv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.308"}],"aliases":["CVE-2023-39631","GHSA-f73w-4m7g-ch9x","PYSEC-2023-162","PYSEC-2023-163"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tvj5-fy4j-yqar"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/218390?format=json","vulnerability_id":"VCID-uhwf-4hp8-63gv","summary":"A vulnerability in the GraphCypherQAChain class of langchain-ai/langchainjs versions 0.2.5 and all versions with this class allows for prompt injection, leading to SQL injection. This vulnerability permits unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database.","references":[],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/86204?format=json","purl":"pkg:pypi/langchain@0.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-enm9-kr4g-hbbz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.3.1"}],"aliases":["PYSEC-2024-114"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-uhwf-4hp8-63gv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/136692?format=json","vulnerability_id":"VCID-vrea-ew6n-vyf9","summary":"An issue in Harrison Chase langchain v.0.0.194 allows an attacker to execute arbitrary code via the python exec calls in the PALChain, affected functions include from_math_prompt and from_colored_object_prompt.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-36095","reference_id":"","reference_type":"","scores":[{"value":"0.03155","scoring_system":"epss","scoring_elements":"0.87194","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-36095"},{"reference_url":"https://github.com/advisories/GHSA-gwqq-6vq7-5j86","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gwqq-6vq7-5j86"},{"reference_url":"https://github.com/langchain-ai/langchain/commit/8ba9835b925473655914f63822775679e03ea137","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/commit/8ba9835b925473655914f63822775679e03ea137"},{"reference_url":"https://github.com/langchain-ai/langchain/commit/e294ba475a355feb95003ed8f1a2b99942509a9e","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/commit/e294ba475a355feb95003ed8f1a2b99942509a9e"},{"reference_url":"https://github.com/langchain-ai/langchain/commits/v0.0.236?after=4d8b48bdb3f17c764c5c2e3c7140071603869e74+34&branch=v0.0.236&qualified_name=refs%2Ftags%2Fv0.0.236","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/commits/v0.0.236?after=4d8b48bdb3f17c764c5c2e3c7140071603869e74+34&branch=v0.0.236&qualified_name=refs%2Ftags%2Fv0.0.236"},{"reference_url":"https://github.com/langchain-ai/langchain/pull/6003","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/pull/6003"},{"reference_url":"https://github.com/langchain-ai/langchain/pull/7870","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/pull/7870"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-138.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-138.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-36095","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-36095"},{"reference_url":"https://github.com/langchain-ai/langchain/issues/5872","reference_id":"5872","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-10-17T14:46:57Z/"}],"url":"https://github.com/langchain-ai/langchain/issues/5872"},{"reference_url":"https://github.com/hwchase17/langchain","reference_id":"langchain","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-10-17T14:46:57Z/"}],"url":"https://github.com/hwchase17/langchain"},{"reference_url":"http://langchain.com","reference_id":"langchain.com","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-10-17T14:46:57Z/"}],"url":"http://langchain.com"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/76559?format=json","purl":"pkg:pypi/langchain@0.0.236","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1618-rc62-rke9"},{"vulnerability":"VCID-2rhm-rh9f-13b7"},{"vulnerability":"VCID-449d-vdfh-x7fd"},{"vulnerability":"VCID-8jk9-a8mt-mke3"},{"vulnerability":"VCID-9879-hp1u-47ds"},{"vulnerability":"VCID-9jxh-pfnm-w7gk"},{"vulnerability":"VCID-9yh8-14yh-abhr"},{"vulnerability":"VCID-cx6s-pyn2-cqcj"},{"vulnerability":"VCID-d5qc-zvmu-rkde"},{"vulnerability":"VCID-dg53-vte1-zyfy"},{"vulnerability":"VCID-enm9-kr4g-hbbz"},{"vulnerability":"VCID-hxnj-z9jr-kue7"},{"vulnerability":"VCID-jpa5-z25b-u3d3"},{"vulnerability":"VCID-n4zy-w2mg-f3hx"},{"vulnerability":"VCID-qvyx-jcxw-sbdh"},{"vulnerability":"VCID-s4wf-9m6c-8yay"},{"vulnerability":"VCID-tvj5-fy4j-yqar"},{"vulnerability":"VCID-uhwf-4hp8-63gv"},{"vulnerability":"VCID-zh5c-9jvd-jfhz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.236"}],"aliases":["CVE-2023-36095","GHSA-gwqq-6vq7-5j86","PYSEC-2023-138"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vrea-ew6n-vyf9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/131832?format=json","vulnerability_id":"VCID-zh5c-9jvd-jfhz","summary":"An issue in LangChain v.0.0.231 allows a remote attacker to execute arbitrary code via the prompt parameter.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-38860","reference_id":"","reference_type":"","scores":[{"value":"0.01824","scoring_system":"epss","scoring_elements":"0.83292","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-38860"},{"reference_url":"https://github.com/advisories/GHSA-fj32-q626-pjjc","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fj32-q626-pjjc"},{"reference_url":"https://github.com/langchain-ai/langchain/commit/d353d668e4b0514122a443cef91de7f76fea4245","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/commit/d353d668e4b0514122a443cef91de7f76fea4245"},{"reference_url":"https://github.com/langchain-ai/langchain/commit/fab24457bcf8ede882abd11419769c92bc4e7751","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/commit/fab24457bcf8ede882abd11419769c92bc4e7751"},{"reference_url":"https://github.com/langchain-ai/langchain/issues/7641","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/issues/7641"},{"reference_url":"https://github.com/langchain-ai/langchain/pull/8092","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/pull/8092"},{"reference_url":"https://github.com/langchain-ai/langchain/pull/8425","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/pull/8425"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-145.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-145.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-38860","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-38860"},{"reference_url":"https://github.com/hwchase17/langchain/issues/7641","reference_id":"7641","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-10-09T13:16:43Z/"}],"url":"https://github.com/hwchase17/langchain/issues/7641"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/76572?format=json","purl":"pkg:pypi/langchain@0.0.247","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1618-rc62-rke9"},{"vulnerability":"VCID-2rhm-rh9f-13b7"},{"vulnerability":"VCID-449d-vdfh-x7fd"},{"vulnerability":"VCID-9879-hp1u-47ds"},{"vulnerability":"VCID-9jxh-pfnm-w7gk"},{"vulnerability":"VCID-cx6s-pyn2-cqcj"},{"vulnerability":"VCID-d5qc-zvmu-rkde"},{"vulnerability":"VCID-enm9-kr4g-hbbz"},{"vulnerability":"VCID-hxnj-z9jr-kue7"},{"vulnerability":"VCID-qvyx-jcxw-sbdh"},{"vulnerability":"VCID-s4wf-9m6c-8yay"},{"vulnerability":"VCID-tvj5-fy4j-yqar"},{"vulnerability":"VCID-uhwf-4hp8-63gv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.247"}],"aliases":["CVE-2023-38860","GHSA-fj32-q626-pjjc","PYSEC-2023-145"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zh5c-9jvd-jfhz"}],"fixing_vulnerabilities":[],"risk_score":"4.4","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.9"}