Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:pypi/langchain-core@0.2.13

Type pypi

Namespace

Name langchain-core

Version 0.2.13

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 0.3.85

Latest_non_vulnerable_version 1.3.3

Affected_by_vulnerabilities

url VCID-4u9s-4vzv-zfhm

vulnerability_id VCID-4u9s-4vzv-zfhm

summary

langchain-core allows unauthorized users to read arbitrary files from the host file system
A vulnerability in langchain-core versions >=0.1.17,<0.1.53, >=0.2.0,<0.2.43, and >=0.3.0,<0.3.15 allows unauthorized users to read arbitrary files from the host file system. The issue arises from the ability to create langchain_core.prompts.ImagePromptTemplate's (and by extension langchain_core.prompts.ChatPromptTemplate's) with input variables that can read any user-specified path from the server file system. If the outputs of these prompt templates are exposed to the user, either directly or through downstream model outputs, it can lead to the exposure of sensitive information.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-10940.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-10940.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-10940

reference_id

reference_type

scores

value	0.00274
scoring_system	epss
scoring_elements	0.51085
published_at	2026-06-05T12:55:00Z

value	0.00274
scoring_system	epss
scoring_elements	0.51069
published_at	2026-06-07T12:55:00Z

value	0.00274
scoring_system	epss
scoring_elements	0.51091
published_at	2026-06-06T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-10940

reference_url

https://github.com/langchain-ai/langchain

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/langchain-ai/langchain

reference_url

https://github.com/langchain-ai/langchain/commit/7d481f10102f43559cc57bcad7eba291067939ee

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/langchain-ai/langchain/commit/7d481f10102f43559cc57bcad7eba291067939ee

reference_url

https://github.com/langchain-ai/langchain/commit/c1e742347f9701aadba8920e4d1f79a636e50b68

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T17:54:57Z/

url

https://github.com/langchain-ai/langchain/commit/c1e742347f9701aadba8920e4d1f79a636e50b68

reference_url

https://github.com/langchain-ai/langchain/commit/e711034713259ae448981bc0fd1d7a5671499c31

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/langchain-ai/langchain/commit/e711034713259ae448981bc0fd1d7a5671499c31

reference_url

https://huntr.com/bounties/be1ee1cb-2147-4ff4-a57b-b6045271cf27

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T17:54:57Z/

url

https://huntr.com/bounties/be1ee1cb-2147-4ff4-a57b-b6045271cf27

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2353815
reference_id	2353815
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2353815

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-10940

reference_id

CVE-2024-10940

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-10940

reference_url	https://github.com/advisories/GHSA-5chr-fjjv-38qv
reference_id	GHSA-5chr-fjjv-38qv
reference_type
scores
url	https://github.com/advisories/GHSA-5chr-fjjv-38qv

fixed_packages

url pkg:pypi/langchain-core@0.2.43

purl pkg:pypi/langchain-core@0.2.43

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-61vg-ekxn-hqfv

vulnerability	VCID-8fbt-6heb-uyg1

vulnerability	VCID-91ur-jaq8-xqcj

vulnerability	VCID-z7kv-vrhw-1qad

vulnerability	VCID-zb77-fwdy-dbfy

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langchain-core@0.2.43

url pkg:pypi/langchain-core@0.3.15

purl pkg:pypi/langchain-core@0.3.15

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-61vg-ekxn-hqfv

vulnerability	VCID-8fbt-6heb-uyg1

vulnerability	VCID-91ur-jaq8-xqcj

vulnerability	VCID-z7kv-vrhw-1qad

vulnerability	VCID-zb77-fwdy-dbfy

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langchain-core@0.3.15

aliases CVE-2024-10940, GHSA-5chr-fjjv-38qv

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4u9s-4vzv-zfhm

url VCID-61vg-ekxn-hqfv

vulnerability_id VCID-61vg-ekxn-hqfv

summary

LangChain affected by SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages
The `ChatOpenAI.get_num_tokens_from_messages()` method fetches arbitrary `image_url` values without validation when computing token counts for vision-enabled models. This allows attackers to trigger Server-Side Request Forgery (SSRF) attacks by providing malicious image URLs in user input.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-26013.json

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-26013.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-26013

reference_id

reference_type

scores

value	0.00019
scoring_system	epss
scoring_elements	0.05476
published_at	2026-06-07T12:55:00Z

value	0.00019
scoring_system	epss
scoring_elements	0.05492
published_at	2026-06-05T12:55:00Z

value	0.00019
scoring_system	epss
scoring_elements	0.05475
published_at	2026-06-06T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-26013

reference_url

https://github.com/langchain-ai/langchain

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/langchain-ai/langchain

reference_url

https://github.com/langchain-ai/langchain/commit/2b4b1dc29a833d4053deba4c2b77a3848c834565

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-11T21:26:20Z/

url

https://github.com/langchain-ai/langchain/commit/2b4b1dc29a833d4053deba4c2b77a3848c834565

reference_url

https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.11

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-11T21:26:20Z/

url

https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.11

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2438772
reference_id	2438772
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2438772

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-26013

reference_id

CVE-2026-26013

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-26013

reference_url

https://github.com/advisories/GHSA-2g6r-c272-w58r

reference_id

GHSA-2g6r-c272-w58r

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-2g6r-c272-w58r

reference_url

https://github.com/langchain-ai/langchain/security/advisories/GHSA-2g6r-c272-w58r

reference_id

GHSA-2g6r-c272-w58r

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-11T21:26:20Z/

url

https://github.com/langchain-ai/langchain/security/advisories/GHSA-2g6r-c272-w58r

fixed_packages

url pkg:pypi/langchain-core@1.2.11

purl pkg:pypi/langchain-core@1.2.11

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-z7kv-vrhw-1qad

vulnerability	VCID-zb77-fwdy-dbfy

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langchain-core@1.2.11

aliases CVE-2026-26013, GHSA-2g6r-c272-w58r

risk_score 1.6

exploitability 0.5

weighted_severity 3.3

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-61vg-ekxn-hqfv

url VCID-8fbt-6heb-uyg1

vulnerability_id VCID-8fbt-6heb-uyg1

summary

LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs
A serialization injection vulnerability exists in LangChain's `dumps()` and `dumpd()` functions. The functions do not escape dictionaries with `'lc'` keys when serializing free-form dictionaries. The `'lc'` key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-68664.json

reference_id

reference_type

scores

value	9.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-68664.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-68664

reference_id

reference_type

scores

value	0.02624
scoring_system	epss
scoring_elements	0.85979
published_at	2026-06-06T12:55:00Z

value	0.02624
scoring_system	epss
scoring_elements	0.85975
published_at	2026-06-07T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-68664

reference_url

https://github.com/langchain-ai/langchain

reference_id

reference_type

scores

value	9.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/langchain-ai/langchain

reference_url

https://github.com/langchain-ai/langchain/commit/5ec0fa69de31bbe3d76e4cf9cd65a6accb8466c8

reference_id

reference_type

scores

value	9.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-24T14:40:55Z/

url

https://github.com/langchain-ai/langchain/commit/5ec0fa69de31bbe3d76e4cf9cd65a6accb8466c8

reference_url

https://github.com/langchain-ai/langchain/commit/d9ec4c5cc78960abd37da79b0250f5642e6f0ce6

reference_id

reference_type

scores

value	9.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-24T14:40:55Z/

url

https://github.com/langchain-ai/langchain/commit/d9ec4c5cc78960abd37da79b0250f5642e6f0ce6

reference_url

https://github.com/langchain-ai/langchain/pull/34455

reference_id

reference_type

scores

value	9.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-24T14:40:55Z/

url

https://github.com/langchain-ai/langchain/pull/34455

reference_url

https://github.com/langchain-ai/langchain/pull/34458

reference_id

reference_type

scores

value	9.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-24T14:40:55Z/

url

https://github.com/langchain-ai/langchain/pull/34458

reference_url

https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.81

reference_id

reference_type

scores

value	9.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-24T14:40:55Z/

url

https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.81

reference_url

https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.5

reference_id

reference_type

scores

value	9.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-24T14:40:55Z/

url

https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.5

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2424790
reference_id	2424790
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2424790

reference_url	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52514.py
reference_id	CVE-2025-68664
reference_type	exploit
scores
url	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52514.py

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-68664

reference_id

CVE-2025-68664

reference_type

scores

value	9.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-68664

reference_url

https://github.com/advisories/GHSA-c67j-w6g6-q2cm

reference_id

GHSA-c67j-w6g6-q2cm

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-c67j-w6g6-q2cm

reference_url

https://github.com/langchain-ai/langchain/security/advisories/GHSA-c67j-w6g6-q2cm

reference_id

GHSA-c67j-w6g6-q2cm

reference_type

scores

value	9.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-24T14:40:55Z/

url

https://github.com/langchain-ai/langchain/security/advisories/GHSA-c67j-w6g6-q2cm

reference_url	https://access.redhat.com/errata/RHSA-2026:0406
reference_id	RHSA-2026:0406
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:0406

reference_url	https://access.redhat.com/errata/RHSA-2026:0408
reference_id	RHSA-2026:0408
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:0408

reference_url	https://access.redhat.com/errata/RHSA-2026:0409
reference_id	RHSA-2026:0409
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:0409

reference_url	https://access.redhat.com/errata/RHSA-2026:1610
reference_id	RHSA-2026:1610
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:1610

fixed_packages

url pkg:pypi/langchain-core@0.3.81

purl pkg:pypi/langchain-core@0.3.81

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-61vg-ekxn-hqfv

vulnerability	VCID-z7kv-vrhw-1qad

vulnerability	VCID-zb77-fwdy-dbfy

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langchain-core@0.3.81

url pkg:pypi/langchain-core@0.4.0.dev0

purl pkg:pypi/langchain-core@0.4.0.dev0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-61vg-ekxn-hqfv

vulnerability	VCID-zb77-fwdy-dbfy

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langchain-core@0.4.0.dev0

url pkg:pypi/langchain-core@1.2.5

purl pkg:pypi/langchain-core@1.2.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-61vg-ekxn-hqfv

vulnerability	VCID-z7kv-vrhw-1qad

vulnerability	VCID-zb77-fwdy-dbfy

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langchain-core@1.2.5

aliases CVE-2025-68664, GHSA-c67j-w6g6-q2cm

risk_score 10.0

exploitability 2.0

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8fbt-6heb-uyg1

url VCID-91ur-jaq8-xqcj

vulnerability_id VCID-91ur-jaq8-xqcj

summary

Duplicate
This advisory duplicates another.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-65106.json

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-65106.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-65106

reference_id

reference_type

scores

value	0.00052
scoring_system	epss
scoring_elements	0.16548
published_at	2026-06-07T12:55:00Z

value	0.00052
scoring_system	epss
scoring_elements	0.16593
published_at	2026-06-05T12:55:00Z

value	0.00052
scoring_system	epss
scoring_elements	0.1659
published_at	2026-06-06T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-65106

reference_url

https://github.com/langchain-ai/langchain

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/langchain-ai/langchain

reference_url

https://github.com/langchain-ai/langchain/commit/c4b6ba254e1a49ed91f2e268e6484011c540542a

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-21T21:53:02Z/

url

https://github.com/langchain-ai/langchain/commit/c4b6ba254e1a49ed91f2e268e6484011c540542a

reference_url

https://github.com/langchain-ai/langchain/commit/fa7789d6c21222b85211755d822ef698d3b34e00

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-21T21:53:02Z/

url

https://github.com/langchain-ai/langchain/commit/fa7789d6c21222b85211755d822ef698d3b34e00

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2416504
reference_id	2416504
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2416504

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-65106

reference_id

CVE-2025-65106

reference_type

scores

value	8.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-65106

reference_url

https://github.com/advisories/GHSA-6qv9-48xg-fc7f

reference_id

GHSA-6qv9-48xg-fc7f

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-6qv9-48xg-fc7f

reference_url

https://github.com/langchain-ai/langchain/security/advisories/GHSA-6qv9-48xg-fc7f

reference_id

GHSA-6qv9-48xg-fc7f

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	8.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-21T21:53:02Z/

url

https://github.com/langchain-ai/langchain/security/advisories/GHSA-6qv9-48xg-fc7f

fixed_packages

url pkg:pypi/langchain-core@0.3.80

purl pkg:pypi/langchain-core@0.3.80

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-61vg-ekxn-hqfv

vulnerability	VCID-8fbt-6heb-uyg1

vulnerability	VCID-z7kv-vrhw-1qad

vulnerability	VCID-zb77-fwdy-dbfy

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langchain-core@0.3.80

url pkg:pypi/langchain-core@1.0.7

purl pkg:pypi/langchain-core@1.0.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-61vg-ekxn-hqfv

vulnerability	VCID-8fbt-6heb-uyg1

vulnerability	VCID-z7kv-vrhw-1qad

vulnerability	VCID-zb77-fwdy-dbfy

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langchain-core@1.0.7

aliases CVE-2025-65106, GHSA-6qv9-48xg-fc7f

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-91ur-jaq8-xqcj

url VCID-z7kv-vrhw-1qad

vulnerability_id VCID-z7kv-vrhw-1qad

summary langchain: incomplete f-string validation in prompt templates

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-40087.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-40087.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-40087

reference_id

reference_type

scores

value	0.00055
scoring_system	epss
scoring_elements	0.17482
published_at	2026-06-07T12:55:00Z

value	0.00055
scoring_system	epss
scoring_elements	0.17523
published_at	2026-06-05T12:55:00Z

value	0.00055
scoring_system	epss
scoring_elements	0.17518
published_at	2026-06-06T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-40087

reference_url

https://github.com/langchain-ai/langchain

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/langchain-ai/langchain

reference_url

https://github.com/langchain-ai/langchain/commit/6bab0ba3c12328008ddca3e0d54ff5a6151cd27b

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:47:52Z/

url

https://github.com/langchain-ai/langchain/commit/6bab0ba3c12328008ddca3e0d54ff5a6151cd27b

reference_url

https://github.com/langchain-ai/langchain/commit/af2ed47c6f008cdd551f3c0d87db3774c8dfe258

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:47:52Z/

url

https://github.com/langchain-ai/langchain/commit/af2ed47c6f008cdd551f3c0d87db3774c8dfe258

reference_url

https://github.com/langchain-ai/langchain/pull/36612

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:47:52Z/

url

https://github.com/langchain-ai/langchain/pull/36612

reference_url

https://github.com/langchain-ai/langchain/pull/36613

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:47:52Z/

url

https://github.com/langchain-ai/langchain/pull/36613

reference_url

https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.84

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:47:52Z/

url

https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.84

reference_url

https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.28

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:47:52Z/

url

https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.28

reference_url

https://github.com/langchain-ai/langchain/security/advisories/GHSA-926x-3r5x-gfhw

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-14T14:47:52Z/

url

https://github.com/langchain-ai/langchain/security/advisories/GHSA-926x-3r5x-gfhw

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-40087

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-40087

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2457024
reference_id	2457024
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2457024

reference_url

https://github.com/advisories/GHSA-926x-3r5x-gfhw

reference_id

GHSA-926x-3r5x-gfhw

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-926x-3r5x-gfhw

fixed_packages

url pkg:pypi/langchain-core@0.3.84

purl pkg:pypi/langchain-core@0.3.84

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-rn2w-tbct-4ygj

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langchain-core@0.3.84

url pkg:pypi/langchain-core@0.4.0.dev0

purl pkg:pypi/langchain-core@0.4.0.dev0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-61vg-ekxn-hqfv

vulnerability	VCID-zb77-fwdy-dbfy

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langchain-core@0.4.0.dev0

url	pkg:pypi/langchain-core@1.2.28
purl	pkg:pypi/langchain-core@1.2.28
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/langchain-core@1.2.28

aliases CVE-2026-40087, GHSA-926x-3r5x-gfhw

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-z7kv-vrhw-1qad

url VCID-zb77-fwdy-dbfy

vulnerability_id VCID-zb77-fwdy-dbfy

summary langchain: path traversal in legacy load_prompt functions in langchain-core

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34070.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34070.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-34070

reference_id

reference_type

scores

value	0.00035
scoring_system	epss
scoring_elements	0.10901
published_at	2026-06-05T12:55:00Z

value	0.00035
scoring_system	epss
scoring_elements	0.1089
published_at	2026-06-06T12:55:00Z

value	0.00037
scoring_system	epss
scoring_elements	0.11373
published_at	2026-06-07T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-34070

reference_url

https://github.com/langchain-ai/langchain

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/langchain-ai/langchain

reference_url

https://github.com/langchain-ai/langchain/commit/27add913474e01e33bededf4096151130ba0d47c

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-31T15:17:33Z/

url

https://github.com/langchain-ai/langchain/commit/27add913474e01e33bededf4096151130ba0d47c

reference_url

https://github.com/langchain-ai/langchain/releases/tag/langchain-core==1.2.22

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-31T15:17:33Z/

url

https://github.com/langchain-ai/langchain/releases/tag/langchain-core==1.2.22

reference_url

https://github.com/langchain-ai/langchain/security/advisories/GHSA-qh6h-p6c9-ff54

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-31T15:17:33Z/

url

https://github.com/langchain-ai/langchain/security/advisories/GHSA-qh6h-p6c9-ff54

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-34070

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-34070

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2453287
reference_id	2453287
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2453287

reference_url

https://github.com/advisories/GHSA-qh6h-p6c9-ff54

reference_id

GHSA-qh6h-p6c9-ff54

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-qh6h-p6c9-ff54

fixed_packages

url pkg:pypi/langchain-core@1.2.22

purl pkg:pypi/langchain-core@1.2.22

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-z7kv-vrhw-1qad

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langchain-core@1.2.22

aliases CVE-2026-34070, GHSA-qh6h-p6c9-ff54

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zb77-fwdy-dbfy

Fixing_vulnerabilities

Risk_score 10.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langchain-core@0.2.13

Package Instance