Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/langflow@0.0.32
Typepypi
Namespace
Namelangflow
Version0.0.32
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version1.9.1
Latest_non_vulnerable_version1.9.1
Affected_by_vulnerabilities
0
url VCID-1vhk-ax4w-juca
vulnerability_id VCID-1vhk-ax4w-juca
summary Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.8.0, the CSV Agent node in Langflow hardcodes `allow_dangerous_code=True`, which automatically exposes LangChain’s Python REPL tool (`python_repl_ast`). As a result, an attacker can execute arbitrary Python and OS commands on the server via prompt injection, leading to full Remote Code Execution (RCE). Version 1.8.0 fixes the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-27966
reference_id
reference_type
scores
0
value 0.41016
scoring_system epss
scoring_elements 0.97485
published_at 2026-06-12T12:55:00Z
1
value 0.41016
scoring_system epss
scoring_elements 0.97477
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-27966
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-27966
reference_id CVE-2026-27966
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-27966
2
reference_url https://github.com/langflow-ai/langflow/commit/d8c6480daa17b2f2af0b5470cdf5c3d28dc9e508
reference_id d8c6480daa17b2f2af0b5470cdf5c3d28dc9e508
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-02-27T14:15:24Z/
url https://github.com/langflow-ai/langflow/commit/d8c6480daa17b2f2af0b5470cdf5c3d28dc9e508
3
reference_url https://github.com/advisories/GHSA-3645-fxcv-hqr4
reference_id GHSA-3645-fxcv-hqr4
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3645-fxcv-hqr4
4
reference_url https://github.com/langflow-ai/langflow/security/advisories/GHSA-3645-fxcv-hqr4
reference_id GHSA-3645-fxcv-hqr4
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-02-27T14:15:24Z/
url https://github.com/langflow-ai/langflow/security/advisories/GHSA-3645-fxcv-hqr4
fixed_packages
aliases CVE-2026-27966, GHSA-3645-fxcv-hqr4
risk_score 10.0
exploitability 2.0
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1vhk-ax4w-juca
1
url VCID-64jj-rzvk-33f7
vulnerability_id VCID-64jj-rzvk-33f7
summary Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.1, in the download_profile_picture function of the /profile_pictures/{folder_name}/{file_name} endpoint, the folder_name and file_name parameters are not strictly filtered, which allows the secret_key to be read across directories. Version 1.7.1 contains a patch.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33497
reference_id
reference_type
scores
0
value 0.0005
scoring_system epss
scoring_elements 0.15891
published_at 2026-06-11T12:55:00Z
1
value 0.0005
scoring_system epss
scoring_elements 0.16031
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33497
1
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/langflow/PYSEC-2026-81.yaml
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/langflow/PYSEC-2026-81.yaml
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33497
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33497
3
reference_url https://github.com/advisories/GHSA-ph9w-r52h-28p7
reference_id GHSA-ph9w-r52h-28p7
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-ph9w-r52h-28p7
4
reference_url https://github.com/langflow-ai/langflow/security/advisories/GHSA-ph9w-r52h-28p7
reference_id GHSA-ph9w-r52h-28p7
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:45:18Z/
url https://github.com/langflow-ai/langflow/security/advisories/GHSA-ph9w-r52h-28p7
fixed_packages
0
url pkg:pypi/langflow@1.7.1
purl pkg:pypi/langflow@1.7.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1vhk-ax4w-juca
1
vulnerability VCID-6m8d-fx7p-23g4
2
vulnerability VCID-6sd1-av8j-sbdy
3
vulnerability VCID-7g9e-cufb-67bg
4
vulnerability VCID-9pmh-48aa-q7d3
5
vulnerability VCID-apy6-s5uk-13hw
6
vulnerability VCID-h5jb-r3s8-gkbq
7
vulnerability VCID-hqmp-tfuk-1uh9
8
vulnerability VCID-tfr4-sg8u-xuec
9
vulnerability VCID-tq12-2qw8-2qgz
10
vulnerability VCID-yxtv-rc7j-aka5
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.7.1
aliases CVE-2026-33497, GHSA-ph9w-r52h-28p7, PYSEC-2026-81
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-64jj-rzvk-33f7
2
url VCID-6m8d-fx7p-23g4
vulnerability_id VCID-6m8d-fx7p-23g4
summary A security vulnerability has been detected in langflow-ai langflow up to 1.8.3. The affected element is the function create_project/encrypt_auth_settings of the file src/backend/base/Langflow/api/v1/projects.py of the component Project Creation Endpoint. Such manipulation of the argument auth_settings leads to cleartext storage in a file or on disk. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-6598
reference_id
reference_type
scores
0
value 0.00014
scoring_system epss
scoring_elements 0.02888
published_at 2026-06-12T12:55:00Z
1
value 0.00014
scoring_system epss
scoring_elements 0.02878
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-6598
1
reference_url https://github.com/langflow-ai/langflow/commit/45325f6376309a91f5017fa033a96c09c7e295e3
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow/commit/45325f6376309a91f5017fa033a96c09c7e295e3
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-6598
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
2
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-6598
3
reference_url https://vuldb.com/vuln/358233
reference_id 358233
reference_type
scores
0
value 4
scoring_system cvssv2
scoring_elements AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR
1
value 4.3
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
2
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
3
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
4
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
5
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
6
value LOW
scoring_system generic_textual
scoring_elements
7
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T16:19:05Z/
url https://vuldb.com/vuln/358233
4
reference_url https://gist.github.com/chenhouser2025/77adb3486c06c635ae4b09a3eaf90213
reference_id 77adb3486c06c635ae4b09a3eaf90213
reference_type
scores
0
value 4
scoring_system cvssv2
scoring_elements AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR
1
value 4.3
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
2
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
3
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
5
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
6
value LOW
scoring_system generic_textual
scoring_elements
7
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T16:19:05Z/
url https://gist.github.com/chenhouser2025/77adb3486c06c635ae4b09a3eaf90213
5
reference_url https://vuldb.com/submit/791921
reference_id 791921
reference_type
scores
0
value 4
scoring_system cvssv2
scoring_elements AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR
1
value 4.3
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
2
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
3
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
4
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
5
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
6
value LOW
scoring_system generic_textual
scoring_elements
7
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T16:19:05Z/
url https://vuldb.com/submit/791921
6
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*
reference_id cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*
7
reference_url https://vuldb.com/vuln/358233/cti
reference_id cti
reference_type
scores
0
value 4
scoring_system cvssv2
scoring_elements AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR
1
value 4.3
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
2
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
3
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
4
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
5
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
6
value LOW
scoring_system generic_textual
scoring_elements
7
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T16:19:05Z/
url https://vuldb.com/vuln/358233/cti
8
reference_url https://github.com/advisories/GHSA-9jpj-cph8-w449
reference_id GHSA-9jpj-cph8-w449
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9jpj-cph8-w449
fixed_packages
0
url pkg:pypi/langflow@1.9.1
purl pkg:pypi/langflow@1.9.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.9.1
aliases CVE-2026-6598, GHSA-9jpj-cph8-w449
risk_score 2.4
exploitability 0.5
weighted_severity 4.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6m8d-fx7p-23g4
3
url VCID-6sd1-av8j-sbdy
vulnerability_id VCID-6sd1-av8j-sbdy
summary 
Langflow exec_globals Inclusion of Functionality from Untrusted Control Sphere Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the handling of the exec_globals parameter provided to the validate endpoint. The issue results from the inclusion of a resource from an untrusted control sphere. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27325.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-0770
reference_id
reference_type
scores
0
value 0.17664
scoring_system epss
scoring_elements 0.95268
published_at 2026-06-12T12:55:00Z
1
value 0.17664
scoring_system epss
scoring_elements 0.95253
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-0770
1
reference_url https://www.zerodayinitiative.com/advisories/ZDI-26-036
reference_id
reference_type
scores
0
value 8.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.zerodayinitiative.com/advisories/ZDI-26-036
2
reference_url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52597.py
reference_id CVE-2026-0770
reference_type exploit
scores
url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52597.py
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-0770
reference_id CVE-2026-0770
reference_type
scores
0
value 8.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-0770
4
reference_url https://github.com/affix/CVE-2026-0770-PoC
reference_id CVE-2026-0770-POC
reference_type
scores
0
value 8.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/affix/CVE-2026-0770-PoC
5
reference_url https://github.com/advisories/GHSA-g22f-v6f7-2hrh
reference_id GHSA-g22f-v6f7-2hrh
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-g22f-v6f7-2hrh
6
reference_url https://www.zerodayinitiative.com/advisories/ZDI-26-036/
reference_id ZDI-26-036
reference_type
scores
0
value 9.8
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-02-24T04:56:28Z/
url https://www.zerodayinitiative.com/advisories/ZDI-26-036/
fixed_packages
aliases CVE-2026-0770, GHSA-g22f-v6f7-2hrh
risk_score 10.0
exploitability 2.0
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6sd1-av8j-sbdy
4
url VCID-6y1z-b2ye-jkd6
vulnerability_id VCID-6y1z-b2ye-jkd6
summary Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0.dev45, multiple critical API endpoints in Langflow are missing authentication controls. The issue allows any unauthenticated user to access sensitive user conversation data, transaction histories, and perform destructive operations including message deletion. This affects endpoints handling personal data and system operations that should require proper authorization. Version 1.7.0.dev45 contains a patch.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-21445
reference_id
reference_type
scores
0
value 0.07998
scoring_system epss
scoring_elements 0.92308
published_at 2026-06-12T12:55:00Z
1
value 0.09015
scoring_system epss
scoring_elements 0.92814
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-21445
1
reference_url https://github.com/langflow-ai/langflow/releases/tag/1.7.1
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow/releases/tag/1.7.1
2
reference_url https://github.com/langflow-ai/langflow/commit/3fed9fe1b5658f2c8656dbd73508e113a96e486a
reference_id 3fed9fe1b5658f2c8656dbd73508e113a96e486a
reference_type
scores
0
value 8.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-01-06T04:55:18Z/
url https://github.com/langflow-ai/langflow/commit/3fed9fe1b5658f2c8656dbd73508e113a96e486a
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-21445
reference_id CVE-2026-21445
reference_type
scores
0
value 8.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-21445
4
reference_url https://github.com/advisories/GHSA-c5cp-vx83-jhqx
reference_id GHSA-c5cp-vx83-jhqx
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-c5cp-vx83-jhqx
5
reference_url https://github.com/langflow-ai/langflow/security/advisories/GHSA-c5cp-vx83-jhqx
reference_id GHSA-c5cp-vx83-jhqx
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 8.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-01-06T04:55:18Z/
url https://github.com/langflow-ai/langflow/security/advisories/GHSA-c5cp-vx83-jhqx
fixed_packages
0
url pkg:pypi/langflow@1.7.1
purl pkg:pypi/langflow@1.7.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1vhk-ax4w-juca
1
vulnerability VCID-6m8d-fx7p-23g4
2
vulnerability VCID-6sd1-av8j-sbdy
3
vulnerability VCID-7g9e-cufb-67bg
4
vulnerability VCID-9pmh-48aa-q7d3
5
vulnerability VCID-apy6-s5uk-13hw
6
vulnerability VCID-h5jb-r3s8-gkbq
7
vulnerability VCID-hqmp-tfuk-1uh9
8
vulnerability VCID-tfr4-sg8u-xuec
9
vulnerability VCID-tq12-2qw8-2qgz
10
vulnerability VCID-yxtv-rc7j-aka5
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.7.1
aliases CVE-2026-21445, GHSA-c5cp-vx83-jhqx
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6y1z-b2ye-jkd6
5
url VCID-6zu3-1ch5-kucf
vulnerability_id VCID-6zu3-1ch5-kucf
summary Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration (allow_origins='*' with allow_credentials=True) combined with a refresh token cookie configured as SameSite=None allows a malicious webpage to perform cross-origin requests that include credentials and successfully call the refresh endpoint. An attacker-controlled origin can therefore obtain fresh access_token / refresh_token pairs for a victim session. Obtained tokens permit access to authenticated endpoints — including built-in code-execution functionality — allowing the attacker to execute arbitrary code and achieve full system compromise.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-34291
reference_id
reference_type
scores
0
value 0.34785
scoring_system epss
scoring_elements 0.97126
published_at 2026-06-11T12:55:00Z
1
value 0.37674
scoring_system epss
scoring_elements 0.97308
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-34291
1
reference_url https://github.com/langflow-ai/langflow/pull/10139
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow/pull/10139
2
reference_url https://github.com/langflow-ai/langflow/pull/10696
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow/pull/10696
3
reference_url https://github.com/langflow-ai/langflow/pull/9240
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow/pull/9240
4
reference_url https://github.com/langflow-ai/langflow/pull/9441
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow/pull/9441
5
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/langflow/PYSEC-2025-78.yaml
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/langflow/PYSEC-2025-78.yaml
6
reference_url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-34291
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-34291
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-34291
reference_id CVE-2025-34291
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-34291
8
reference_url https://www.crowdsec.net/vulntracking-report/cve-2025-34291
reference_id CVE-2025-34291
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.crowdsec.net/vulntracking-report/cve-2025-34291
9
reference_url https://www.obsidiansecurity.com/blog/cve-2025-34291-critical-account-takeover-and-rce-vulnerability-in-the-langflow-ai-agent-workflow-platform
reference_id cve-2025-34291-critical-account-takeover-and-rce-vulnerability-in-the-langflow-ai-agent-workflow-platform
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2026-05-21T19:39:27Z/
url https://www.obsidiansecurity.com/blog/cve-2025-34291-critical-account-takeover-and-rce-vulnerability-in-the-langflow-ai-agent-workflow-platform
10
reference_url https://github.com/advisories/GHSA-577h-p2hh-v4mv
reference_id GHSA-577h-p2hh-v4mv
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-577h-p2hh-v4mv
11
reference_url https://github.com/langflow-ai/langflow
reference_id langflow
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2026-05-21T19:39:27Z/
url https://github.com/langflow-ai/langflow
12
reference_url https://www.vulncheck.com/advisories/langflow-cors-misconfiguration-to-token-hijack-and-rce
reference_id langflow-cors-misconfiguration-to-token-hijack-and-rce
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2026-05-21T19:39:27Z/
url https://www.vulncheck.com/advisories/langflow-cors-misconfiguration-to-token-hijack-and-rce
fixed_packages
0
url pkg:pypi/langflow@1.7.0
purl pkg:pypi/langflow@1.7.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1vhk-ax4w-juca
1
vulnerability VCID-64jj-rzvk-33f7
2
vulnerability VCID-6m8d-fx7p-23g4
3
vulnerability VCID-6sd1-av8j-sbdy
4
vulnerability VCID-6y1z-b2ye-jkd6
5
vulnerability VCID-7g9e-cufb-67bg
6
vulnerability VCID-8fj2-6xd3-t3ac
7
vulnerability VCID-9pmh-48aa-q7d3
8
vulnerability VCID-apy6-s5uk-13hw
9
vulnerability VCID-h5jb-r3s8-gkbq
10
vulnerability VCID-hqcp-zjrm-t3dk
11
vulnerability VCID-hqmp-tfuk-1uh9
12
vulnerability VCID-tfr4-sg8u-xuec
13
vulnerability VCID-tq12-2qw8-2qgz
14
vulnerability VCID-yxtv-rc7j-aka5
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.7.0
aliases CVE-2025-34291, GHSA-577h-p2hh-v4mv, PYSEC-2025-78
risk_score 10.0
exploitability 2.0
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6zu3-1ch5-kucf
6
url VCID-7g9e-cufb-67bg
vulnerability_id VCID-7g9e-cufb-67bg
summary Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.0, Langflow is vulnerable to Path Traversal in the Knowledge Bases API (DELETE /api/v1/knowledge_bases). This occurs because user-supplied knowledge base names are concatenated directly into file paths without proper sanitization or boundary validation. An authenticated attacker can exploit this flaw to delete arbitrary directories anywhere on the server's filesystem, leading to data loss and potential service disruption. This vulnerability is fixed in 1.9.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-42048
reference_id
reference_type
scores
0
value 0.00019
scoring_system epss
scoring_elements 0.05221
published_at 2026-06-12T12:55:00Z
1
value 0.00019
scoring_system epss
scoring_elements 0.05209
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-42048
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-42048
reference_id
reference_type
scores
0
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-42048
2
reference_url https://github.com/advisories/GHSA-9whx-c884-c68q
reference_id GHSA-9whx-c884-c68q
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9whx-c884-c68q
3
reference_url https://github.com/langflow-ai/langflow/security/advisories/GHSA-9whx-c884-c68q
reference_id GHSA-9whx-c884-c68q
reference_type
scores
0
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:13:40Z/
url https://github.com/langflow-ai/langflow/security/advisories/GHSA-9whx-c884-c68q
fixed_packages
0
url pkg:pypi/langflow@1.9.0
purl pkg:pypi/langflow@1.9.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-6m8d-fx7p-23g4
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.9.0
aliases CVE-2026-42048, GHSA-9whx-c884-c68q
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7g9e-cufb-67bg
7
url VCID-8fj2-6xd3-t3ac
vulnerability_id VCID-8fj2-6xd3-t3ac
summary Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0, if an arbitrary path is specified in the request body's `fs_path`, the server serializes the Flow object into JSON and creates/overwrites a file at that path. There is no path restriction, normalization, or allowed directory enforcement, so absolute paths (e.g., /etc/poc.txt) are interpreted as is. Version 1.7.0 fixes the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-68478
reference_id
reference_type
scores
0
value 0.00034
scoring_system epss
scoring_elements 0.10628
published_at 2026-06-12T12:55:00Z
1
value 0.00034
scoring_system epss
scoring_elements 0.10569
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-68478
1
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/langflow/PYSEC-2025-125.yaml
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/langflow/PYSEC-2025-125.yaml
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-68478
reference_id CVE-2025-68478
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-68478
3
reference_url https://github.com/advisories/GHSA-f43r-cc68-gpx4
reference_id GHSA-f43r-cc68-gpx4
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-f43r-cc68-gpx4
4
reference_url https://github.com/langflow-ai/langflow/security/advisories/GHSA-f43r-cc68-gpx4
reference_id GHSA-f43r-cc68-gpx4
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-19T17:23:19Z/
url https://github.com/langflow-ai/langflow/security/advisories/GHSA-f43r-cc68-gpx4
fixed_packages
0
url pkg:pypi/langflow@1.7.0
purl pkg:pypi/langflow@1.7.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1vhk-ax4w-juca
1
vulnerability VCID-64jj-rzvk-33f7
2
vulnerability VCID-6m8d-fx7p-23g4
3
vulnerability VCID-6sd1-av8j-sbdy
4
vulnerability VCID-6y1z-b2ye-jkd6
5
vulnerability VCID-7g9e-cufb-67bg
6
vulnerability VCID-8fj2-6xd3-t3ac
7
vulnerability VCID-9pmh-48aa-q7d3
8
vulnerability VCID-apy6-s5uk-13hw
9
vulnerability VCID-h5jb-r3s8-gkbq
10
vulnerability VCID-hqcp-zjrm-t3dk
11
vulnerability VCID-hqmp-tfuk-1uh9
12
vulnerability VCID-tfr4-sg8u-xuec
13
vulnerability VCID-tq12-2qw8-2qgz
14
vulnerability VCID-yxtv-rc7j-aka5
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.7.0
1
url pkg:pypi/langflow@1.7.1
purl pkg:pypi/langflow@1.7.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1vhk-ax4w-juca
1
vulnerability VCID-6m8d-fx7p-23g4
2
vulnerability VCID-6sd1-av8j-sbdy
3
vulnerability VCID-7g9e-cufb-67bg
4
vulnerability VCID-9pmh-48aa-q7d3
5
vulnerability VCID-apy6-s5uk-13hw
6
vulnerability VCID-h5jb-r3s8-gkbq
7
vulnerability VCID-hqmp-tfuk-1uh9
8
vulnerability VCID-tfr4-sg8u-xuec
9
vulnerability VCID-tq12-2qw8-2qgz
10
vulnerability VCID-yxtv-rc7j-aka5
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.7.1
aliases CVE-2025-68478, GHSA-f43r-cc68-gpx4, PYSEC-2025-125
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8fj2-6xd3-t3ac
8
url VCID-9pmh-48aa-q7d3
vulnerability_id VCID-9pmh-48aa-q7d3
summary Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the delete_api_key_route() endpoint accepts an api_key_id path parameter and deletes it with only a generic authentication check (get_current_active_user dependency). However, the delete_api_key() CRUD function does NOT verify that the API key belongs to the current user before deletion.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33053
reference_id
reference_type
scores
0
value 0.00057
scoring_system epss
scoring_elements 0.18343
published_at 2026-06-12T12:55:00Z
1
value 0.00057
scoring_system epss
scoring_elements 0.18179
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33053
1
reference_url https://github.com/langflow-ai/langflow/commit/fdc1b3b1448ff3317d73d3e769a6c4a1717f74d7
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow/commit/fdc1b3b1448ff3317d73d3e769a6c4a1717f74d7
2
reference_url https://github.com/langflow-ai/langflow/releases/tag/1.7.2
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow/releases/tag/1.7.2
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/langflow/PYSEC-2026-78.yaml
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/langflow/PYSEC-2026-78.yaml
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33053
reference_id CVE-2026-33053
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2026-33053
5
reference_url https://github.com/advisories/GHSA-rf6x-r45m-xv3w
reference_id GHSA-rf6x-r45m-xv3w
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-rf6x-r45m-xv3w
6
reference_url https://github.com/langflow-ai/langflow/security/advisories/GHSA-rf6x-r45m-xv3w
reference_id GHSA-rf6x-r45m-xv3w
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:L
3
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
4
value HIGH
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-20T16:22:42Z/
url https://github.com/langflow-ai/langflow/security/advisories/GHSA-rf6x-r45m-xv3w
fixed_packages
0
url pkg:pypi/langflow@1.9.0
purl pkg:pypi/langflow@1.9.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-6m8d-fx7p-23g4
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.9.0
aliases CVE-2026-33053, GHSA-rf6x-r45m-xv3w, PYSEC-2026-78
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9pmh-48aa-q7d3
9
url VCID-apy6-s5uk-13hw
vulnerability_id VCID-apy6-s5uk-13hw
summary Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33017
reference_id
reference_type
scores
0
value 0.24652
scoring_system epss
scoring_elements 0.96268
published_at 2026-06-12T12:55:00Z
1
value 0.24652
scoring_system epss
scoring_elements 0.96257
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33017
1
reference_url https://github.com/langflow-ai/langflow/issues/12345
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:A
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow/issues/12345
2
reference_url https://github.com/langflow-ai/langflow/pull/12160
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:A
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow/pull/12160
3
reference_url https://github.com/langflow-ai/langflow/releases/tag/1.8.2
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:A
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow/releases/tag/1.8.2
4
reference_url https://medium.com/@aviral23/cve-2026-33017-how-i-found-an-unauthenticated-rce-in-langflow-by-reading-the-code-they-already-dc96cdce5896
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:A
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://medium.com/@aviral23/cve-2026-33017-how-i-found-an-unauthenticated-rce-in-langflow-by-reading-the-code-they-already-dc96cdce5896
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33017
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:A
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33017
6
reference_url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-33017
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:A
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-33017
7
reference_url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33017
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:A
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33017
8
reference_url https://www.sysdig.com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hours
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:A
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.sysdig.com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hours
9
reference_url https://github.com/langflow-ai/langflow/commit/73b6612e3ef25fdae0a752d75b0fabd47328d4f0
reference_id 73b6612e3ef25fdae0a752d75b0fabd47328d4f0
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:A
2
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value Act
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-26T03:55:25Z/
url https://github.com/langflow-ai/langflow/commit/73b6612e3ef25fdae0a752d75b0fabd47328d4f0
10
reference_url https://github.com/advisories/GHSA-rvqx-wpfh-mfx7
reference_id GHSA-rvqx-wpfh-mfx7
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L
2
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:A
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value Act
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-26T03:55:25Z/
url https://github.com/advisories/GHSA-rvqx-wpfh-mfx7
11
reference_url https://github.com/advisories/GHSA-vwmf-pq79-vjvx
reference_id GHSA-vwmf-pq79-vjvx
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vwmf-pq79-vjvx
12
reference_url https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx
reference_id GHSA-vwmf-pq79-vjvx
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:A
3
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L
4
value CRITICAL
scoring_system generic_textual
scoring_elements
5
value Act
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-26T03:55:25Z/
url https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx
fixed_packages
0
url pkg:pypi/langflow@1.9.0
purl pkg:pypi/langflow@1.9.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-6m8d-fx7p-23g4
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.9.0
aliases CVE-2026-33017, GHSA-vwmf-pq79-vjvx
risk_score 10.0
exploitability 2.0
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-apy6-s5uk-13hw
10
url VCID-dyj1-bd1u-xfby
vulnerability_id VCID-dyj1-bd1u-xfby
summary 
Duplicate Advisory: Langflow Vulnerable to Code Injection via the `/api/v1/validate/code` endpoint
### Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-rvqx-wpfh-mfx7. This link is maintained to preserve external references.

### Original Description

Langflow versions prior to 1.3.0 are susceptible to code injection in the `/api/v1/validate/code` endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.
references
0
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-3248
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-3248
1
reference_url https://www.horizon3.ai/attack-research/disclosures/unsafe-at-any-speed-abusing-python-exec-for-unauth-rce-in-langflow-ai
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.horizon3.ai/attack-research/disclosures/unsafe-at-any-speed-abusing-python-exec-for-unauth-rce-in-langflow-ai
2
reference_url https://github.com/advisories/GHSA-c995-4fw3-j39m
reference_id GHSA-c995-4fw3-j39m
reference_type
scores
url https://github.com/advisories/GHSA-c995-4fw3-j39m
fixed_packages
0
url pkg:pypi/langflow@1.3.0
purl pkg:pypi/langflow@1.3.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1vhk-ax4w-juca
1
vulnerability VCID-64jj-rzvk-33f7
2
vulnerability VCID-6m8d-fx7p-23g4
3
vulnerability VCID-6sd1-av8j-sbdy
4
vulnerability VCID-6y1z-b2ye-jkd6
5
vulnerability VCID-6zu3-1ch5-kucf
6
vulnerability VCID-7g9e-cufb-67bg
7
vulnerability VCID-8fj2-6xd3-t3ac
8
vulnerability VCID-9pmh-48aa-q7d3
9
vulnerability VCID-apy6-s5uk-13hw
10
vulnerability VCID-h5jb-r3s8-gkbq
11
vulnerability VCID-hfhf-2k6v-sbcf
12
vulnerability VCID-hqcp-zjrm-t3dk
13
vulnerability VCID-hqmp-tfuk-1uh9
14
vulnerability VCID-hrmb-buvy-kuh7
15
vulnerability VCID-tfr4-sg8u-xuec
16
vulnerability VCID-tq12-2qw8-2qgz
17
vulnerability VCID-yxtv-rc7j-aka5
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.3.0
aliases GHSA-c995-4fw3-j39m
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dyj1-bd1u-xfby
11
url VCID-fmgm-qx2r-kbev
vulnerability_id VCID-fmgm-qx2r-kbev
summary langflow v1.0.12 was discovered to contain a remote code execution (RCE) vulnerability via the PythonCodeTool component.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-42835
reference_id
reference_type
scores
0
value 0.0911
scoring_system epss
scoring_elements 0.92874
published_at 2026-06-12T12:55:00Z
1
value 0.0911
scoring_system epss
scoring_elements 0.92851
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-42835
1
reference_url https://github.com/advisories/GHSA-56m6-4mhw-h3g5
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://github.com/advisories/GHSA-56m6-4mhw-h3g5
2
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/langflow/PYSEC-2024-279.yaml
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/langflow/PYSEC-2024-279.yaml
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-42835
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-42835
4
reference_url https://github.com/langflow-ai/langflow/issues/2908
reference_id 2908
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-10-31T18:26:22Z/
url https://github.com/langflow-ai/langflow/issues/2908
fixed_packages
0
url pkg:pypi/langflow@1.0.13
purl pkg:pypi/langflow@1.0.13
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1vhk-ax4w-juca
1
vulnerability VCID-64jj-rzvk-33f7
2
vulnerability VCID-6m8d-fx7p-23g4
3
vulnerability VCID-6sd1-av8j-sbdy
4
vulnerability VCID-6y1z-b2ye-jkd6
5
vulnerability VCID-6zu3-1ch5-kucf
6
vulnerability VCID-7g9e-cufb-67bg
7
vulnerability VCID-8fj2-6xd3-t3ac
8
vulnerability VCID-9pmh-48aa-q7d3
9
vulnerability VCID-apy6-s5uk-13hw
10
vulnerability VCID-dyj1-bd1u-xfby
11
vulnerability VCID-gqz9-n71r-g7dh
12
vulnerability VCID-guzs-mx47-efcn
13
vulnerability VCID-h5jb-r3s8-gkbq
14
vulnerability VCID-hfhf-2k6v-sbcf
15
vulnerability VCID-hqcp-zjrm-t3dk
16
vulnerability VCID-hrmb-buvy-kuh7
17
vulnerability VCID-t5kz-ceey-83em
18
vulnerability VCID-tfr4-sg8u-xuec
19
vulnerability VCID-tq12-2qw8-2qgz
20
vulnerability VCID-yxtv-rc7j-aka5
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.0.13
aliases CVE-2024-42835, GHSA-56m6-4mhw-h3g5, PYSEC-2024-279
risk_score 4.4
exploitability 0.5
weighted_severity 8.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fmgm-qx2r-kbev
12
url VCID-gqz9-n71r-g7dh
vulnerability_id VCID-gqz9-n71r-g7dh
summary langflow <=1.0.18 is vulnerable to Remote Code Execution (RCE) as any component provided the code functionality and the components run on the local machine rather than in a sandbox.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-48061
reference_id
reference_type
scores
0
value 0.132
scoring_system epss
scoring_elements 0.94295
published_at 2026-06-11T12:55:00Z
1
value 0.132
scoring_system epss
scoring_elements 0.94316
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-48061
1
reference_url https://github.com/langflow-ai/langflow/issues/696
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow/issues/696
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-48061
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-48061
3
reference_url https://gist.github.com/AfterSnows/1e58257867002462923fd62dde2b5d61
reference_id 1e58257867002462923fd62dde2b5d61
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-11-06T19:16:58Z/
url https://gist.github.com/AfterSnows/1e58257867002462923fd62dde2b5d61
4
reference_url https://github.com/advisories/GHSA-5p5r-57fx-pmfr
reference_id GHSA-5p5r-57fx-pmfr
reference_type
scores
url https://github.com/advisories/GHSA-5p5r-57fx-pmfr
5
reference_url https://rumbling-slice-eb0.notion.site/There-is-a-Remote-Code-Execution-RCE-vulnerability-in-the-repository-https-github-com-langflow-a-105e3cda9e8c800fac92f1b571bd40d8
reference_id There-is-a-Remote-Code-Execution-RCE-vulnerability-in-the-repository-https-github-com-langflow-a-105e3cda9e8c800fac92f1b571bd40d8
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-11-06T19:16:58Z/
url https://rumbling-slice-eb0.notion.site/There-is-a-Remote-Code-Execution-RCE-vulnerability-in-the-repository-https-github-com-langflow-a-105e3cda9e8c800fac92f1b571bd40d8
fixed_packages
0
url pkg:pypi/langflow@1.0.19
purl pkg:pypi/langflow@1.0.19
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1vhk-ax4w-juca
1
vulnerability VCID-64jj-rzvk-33f7
2
vulnerability VCID-6m8d-fx7p-23g4
3
vulnerability VCID-6sd1-av8j-sbdy
4
vulnerability VCID-6y1z-b2ye-jkd6
5
vulnerability VCID-6zu3-1ch5-kucf
6
vulnerability VCID-7g9e-cufb-67bg
7
vulnerability VCID-8fj2-6xd3-t3ac
8
vulnerability VCID-9pmh-48aa-q7d3
9
vulnerability VCID-apy6-s5uk-13hw
10
vulnerability VCID-dyj1-bd1u-xfby
11
vulnerability VCID-guzs-mx47-efcn
12
vulnerability VCID-h5jb-r3s8-gkbq
13
vulnerability VCID-hfhf-2k6v-sbcf
14
vulnerability VCID-hqcp-zjrm-t3dk
15
vulnerability VCID-hrmb-buvy-kuh7
16
vulnerability VCID-tfr4-sg8u-xuec
17
vulnerability VCID-tq12-2qw8-2qgz
18
vulnerability VCID-yxtv-rc7j-aka5
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.0.19
aliases CVE-2024-48061, GHSA-5p5r-57fx-pmfr
risk_score 4.4
exploitability 0.5
weighted_severity 8.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gqz9-n71r-g7dh
13
url VCID-guzs-mx47-efcn
vulnerability_id VCID-guzs-mx47-efcn
summary 
Langflow versions prior to 1.3.0 are susceptible to code injection in 
the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary
code.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-3248
reference_id
reference_type
scores
0
value 0.92853
scoring_system epss
scoring_elements 0.99777
published_at 2026-06-11T12:55:00Z
1
value 0.92985
scoring_system epss
scoring_elements 0.99788
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-3248
1
reference_url https://github.com/langflow-ai/langflow/commit/faac4db133de32fcb6d483fa9ff52f40ce42bdc0
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow/commit/faac4db133de32fcb6d483fa9ff52f40ce42bdc0
2
reference_url https://github.com/langflow-ai/langflow/security/advisories/GHSA-rvqx-wpfh-mfx7
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow/security/advisories/GHSA-rvqx-wpfh-mfx7
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-3248
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-3248
4
reference_url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-3248
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-3248
5
reference_url https://www.horizon3.ai/attack-research/disclosures/unsafe-at-any-speed-abusing-python-exec-for-unauth-rce-in-langflow-ai
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.horizon3.ai/attack-research/disclosures/unsafe-at-any-speed-abusing-python-exec-for-unauth-rce-in-langflow-ai
6
reference_url https://github.com/langflow-ai/langflow/releases/tag/1.3.0
reference_id 1.3.0
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Act
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-08-15T19:50:13Z/
url https://github.com/langflow-ai/langflow/releases/tag/1.3.0
7
reference_url https://github.com/langflow-ai/langflow/pull/6911
reference_id 6911
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Act
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-08-15T19:50:13Z/
url https://github.com/langflow-ai/langflow/pull/6911
8
reference_url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/remote/52262.txt
reference_id CVE-2025-3248
reference_type exploit
scores
url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/remote/52262.txt
9
reference_url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52364.py
reference_id CVE-2025-3248
reference_type exploit
scores
url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52364.py
10
reference_url https://github.com/advisories/GHSA-rvqx-wpfh-mfx7
reference_id GHSA-rvqx-wpfh-mfx7
reference_type
scores
url https://github.com/advisories/GHSA-rvqx-wpfh-mfx7
11
reference_url https://www.vulncheck.com/advisories/langflow-unauthenticated-rce
reference_id langflow-unauthenticated-rce
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Act
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-08-15T19:50:13Z/
url https://www.vulncheck.com/advisories/langflow-unauthenticated-rce
12
reference_url https://www.horizon3.ai/attack-research/disclosures/unsafe-at-any-speed-abusing-python-exec-for-unauth-rce-in-langflow-ai/
reference_id unsafe-at-any-speed-abusing-python-exec-for-unauth-rce-in-langflow-ai
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value Act
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-08-15T19:50:13Z/
url https://www.horizon3.ai/attack-research/disclosures/unsafe-at-any-speed-abusing-python-exec-for-unauth-rce-in-langflow-ai/
fixed_packages
0
url pkg:pypi/langflow@1.3.0
purl pkg:pypi/langflow@1.3.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1vhk-ax4w-juca
1
vulnerability VCID-64jj-rzvk-33f7
2
vulnerability VCID-6m8d-fx7p-23g4
3
vulnerability VCID-6sd1-av8j-sbdy
4
vulnerability VCID-6y1z-b2ye-jkd6
5
vulnerability VCID-6zu3-1ch5-kucf
6
vulnerability VCID-7g9e-cufb-67bg
7
vulnerability VCID-8fj2-6xd3-t3ac
8
vulnerability VCID-9pmh-48aa-q7d3
9
vulnerability VCID-apy6-s5uk-13hw
10
vulnerability VCID-h5jb-r3s8-gkbq
11
vulnerability VCID-hfhf-2k6v-sbcf
12
vulnerability VCID-hqcp-zjrm-t3dk
13
vulnerability VCID-hqmp-tfuk-1uh9
14
vulnerability VCID-hrmb-buvy-kuh7
15
vulnerability VCID-tfr4-sg8u-xuec
16
vulnerability VCID-tq12-2qw8-2qgz
17
vulnerability VCID-yxtv-rc7j-aka5
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.3.0
aliases CVE-2025-3248, GHSA-rvqx-wpfh-mfx7, PYSEC-2025-36
risk_score 10.0
exploitability 2.0
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-guzs-mx47-efcn
14
url VCID-h5jb-r3s8-gkbq
vulnerability_id VCID-h5jb-r3s8-gkbq
summary A weakness has been identified in langflow-ai langflow up to 1.8.3. Impacted is the function remove_api_keys/has_api_terms of the file src/backend/base/langflow/api/utils/core.py of the component Flow Using API. This manipulation causes unprotected storage of credentials. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-6597
reference_id
reference_type
scores
0
value 0.00011
scoring_system epss
scoring_elements 0.01564
published_at 2026-06-12T12:55:00Z
1
value 0.00011
scoring_system epss
scoring_elements 0.01561
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-6597
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-6597
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
1
value 2.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
2
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-6597
2
reference_url https://vuldb.com/vuln/358232
reference_id 358232
reference_type
scores
0
value 3.3
scoring_system cvssv2
scoring_elements AV:N/AC:L/Au:M/C:P/I:N/A:N/E:POC/RL:ND/RC:UR
1
value 2.7
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
2
value 2.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
3
value 2.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
4
value 2.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
5
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
6
value LOW
scoring_system generic_textual
scoring_elements
7
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T11:42:17Z/
url https://vuldb.com/vuln/358232
3
reference_url https://vuldb.com/submit/791920
reference_id 791920
reference_type
scores
0
value 3.3
scoring_system cvssv2
scoring_elements AV:N/AC:L/Au:M/C:P/I:N/A:N/E:POC/RL:ND/RC:UR
1
value 2.7
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
2
value 2.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
3
value 2.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
4
value 2.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
5
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
6
value LOW
scoring_system generic_textual
scoring_elements
7
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T11:42:17Z/
url https://vuldb.com/submit/791920
4
reference_url https://gist.github.com/chenhouser2025/b93261c6e651f14800a4f2e4365f357b
reference_id b93261c6e651f14800a4f2e4365f357b
reference_type
scores
0
value 3.3
scoring_system cvssv2
scoring_elements AV:N/AC:L/Au:M/C:P/I:N/A:N/E:POC/RL:ND/RC:UR
1
value 2.7
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
2
value 2.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
3
value 2.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
4
value 2.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
5
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
6
value LOW
scoring_system generic_textual
scoring_elements
7
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T11:42:17Z/
url https://gist.github.com/chenhouser2025/b93261c6e651f14800a4f2e4365f357b
5
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*
reference_id cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*
6
reference_url https://vuldb.com/vuln/358232/cti
reference_id cti
reference_type
scores
0
value 3.3
scoring_system cvssv2
scoring_elements AV:N/AC:L/Au:M/C:P/I:N/A:N/E:POC/RL:ND/RC:UR
1
value 2.7
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
2
value 2.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
3
value 2.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
4
value 2.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
5
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
6
value LOW
scoring_system generic_textual
scoring_elements
7
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T11:42:17Z/
url https://vuldb.com/vuln/358232/cti
7
reference_url https://github.com/advisories/GHSA-5jjf-wcvf-923w
reference_id GHSA-5jjf-wcvf-923w
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-5jjf-wcvf-923w
fixed_packages
0
url pkg:pypi/langflow@1.8.4
purl pkg:pypi/langflow@1.8.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-6m8d-fx7p-23g4
1
vulnerability VCID-7g9e-cufb-67bg
2
vulnerability VCID-9pmh-48aa-q7d3
3
vulnerability VCID-hqmp-tfuk-1uh9
4
vulnerability VCID-tq12-2qw8-2qgz
5
vulnerability VCID-yxtv-rc7j-aka5
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.8.4
aliases CVE-2026-6597, GHSA-5jjf-wcvf-923w
risk_score 2.3
exploitability 0.5
weighted_severity 4.6
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-h5jb-r3s8-gkbq
15
url VCID-hfhf-2k6v-sbcf
vulnerability_id VCID-hfhf-2k6v-sbcf
summary Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.5.1, the `_read_flow` helper in `src/backend/base/langflow/api/v1/flows.py` branched on the `AUTO_LOGIN` setting to decide whether to filter by `user_id`. When `AUTO_LOGIN` was `False` (i.e., authentication was enabled), neither branch enforced an ownership check — the query returned any flow matching the given UUID regardless of who owned it. This allowed any authenticated user to read any other user's flow, including embedded plaintext API keys; modify the logic of another user's AI agents, and/or delete flows belonging to other users. The vulnerability was introduced by the conditional logic that was meant to accommodate public/example flows (those with `user_id = NULL`) under auto-login mode, but inadvertently left the authenticated path without an ownership filter. The fix in version 1.5.1 removes the `AUTO_LOGIN` conditional entirely and unconditionally scopes the query to the requesting user.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34046
reference_id
reference_type
scores
0
value 0.00054
scoring_system epss
scoring_elements 0.17261
published_at 2026-06-11T12:55:00Z
1
value 0.00054
scoring_system epss
scoring_elements 0.17426
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34046
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34046
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34046
2
reference_url https://github.com/langflow-ai/langflow/pull/8956
reference_id 8956
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T13:57:05Z/
url https://github.com/langflow-ai/langflow/pull/8956
3
reference_url https://github.com/advisories/GHSA-8c4j-f57c-35cf
reference_id GHSA-8c4j-f57c-35cf
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8c4j-f57c-35cf
4
reference_url https://github.com/langflow-ai/langflow/security/advisories/GHSA-8c4j-f57c-35cf
reference_id GHSA-8c4j-f57c-35cf
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T13:57:05Z/
url https://github.com/langflow-ai/langflow/security/advisories/GHSA-8c4j-f57c-35cf
fixed_packages
0
url pkg:pypi/langflow@1.5.1
purl pkg:pypi/langflow@1.5.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1vhk-ax4w-juca
1
vulnerability VCID-64jj-rzvk-33f7
2
vulnerability VCID-6m8d-fx7p-23g4
3
vulnerability VCID-6sd1-av8j-sbdy
4
vulnerability VCID-6y1z-b2ye-jkd6
5
vulnerability VCID-6zu3-1ch5-kucf
6
vulnerability VCID-7g9e-cufb-67bg
7
vulnerability VCID-8fj2-6xd3-t3ac
8
vulnerability VCID-9pmh-48aa-q7d3
9
vulnerability VCID-apy6-s5uk-13hw
10
vulnerability VCID-h5jb-r3s8-gkbq
11
vulnerability VCID-hqcp-zjrm-t3dk
12
vulnerability VCID-hqmp-tfuk-1uh9
13
vulnerability VCID-tfr4-sg8u-xuec
14
vulnerability VCID-tq12-2qw8-2qgz
15
vulnerability VCID-yxtv-rc7j-aka5
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.5.1
aliases CVE-2026-34046, GHSA-8c4j-f57c-35cf
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hfhf-2k6v-sbcf
16
url VCID-hqcp-zjrm-t3dk
vulnerability_id VCID-hqcp-zjrm-t3dk
summary Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0, Langflow provides an API Request component that can issue arbitrary HTTP requests within a flow. This component takes a user-supplied URL, performs only normalization and basic format checks, and then sends the request using a server-side httpx client. It does not block private IP ranges (127[.]0[.]0[.]1, the 10/172/192 ranges) or cloud metadata endpoints (169[.]254[.]169[.]254), and it returns the response body as the result. Because the flow execution endpoints (/api/v1/run, /api/v1/run/advanced) can be invoked with just an API key, if an attacker can control the API Request URL in a flow, non-blind SSRF is possible—accessing internal resources from the server’s network context. This enables requests to, and collection of responses from, internal administrative endpoints, metadata services, and internal databases/services, leading to information disclosure and providing a foothold for further attacks. Version 1.7.0 contains a patch for this issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-68477
reference_id
reference_type
scores
0
value 0.00027
scoring_system epss
scoring_elements 0.08113
published_at 2026-06-11T12:55:00Z
1
value 0.00027
scoring_system epss
scoring_elements 0.08148
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-68477
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-68477
reference_id CVE-2025-68477
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-68477
2
reference_url https://github.com/advisories/GHSA-5993-7p27-66g5
reference_id GHSA-5993-7p27-66g5
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-5993-7p27-66g5
3
reference_url https://github.com/langflow-ai/langflow/security/advisories/GHSA-5993-7p27-66g5
reference_id GHSA-5993-7p27-66g5
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-19T17:23:37Z/
url https://github.com/langflow-ai/langflow/security/advisories/GHSA-5993-7p27-66g5
fixed_packages
0
url pkg:pypi/langflow@1.7.1
purl pkg:pypi/langflow@1.7.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1vhk-ax4w-juca
1
vulnerability VCID-6m8d-fx7p-23g4
2
vulnerability VCID-6sd1-av8j-sbdy
3
vulnerability VCID-7g9e-cufb-67bg
4
vulnerability VCID-9pmh-48aa-q7d3
5
vulnerability VCID-apy6-s5uk-13hw
6
vulnerability VCID-h5jb-r3s8-gkbq
7
vulnerability VCID-hqmp-tfuk-1uh9
8
vulnerability VCID-tfr4-sg8u-xuec
9
vulnerability VCID-tq12-2qw8-2qgz
10
vulnerability VCID-yxtv-rc7j-aka5
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.7.1
aliases CVE-2025-68477, GHSA-5993-7p27-66g5
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hqcp-zjrm-t3dk
17
url VCID-hrmb-buvy-kuh7
vulnerability_id VCID-hrmb-buvy-kuh7
summary Langflow is a tool for building and deploying AI-powered agents and workflows. A privilege escalation vulnerability exists in Langflow containers where an authenticated user with RCE access can invoke the internal CLI command langflow superuser to create a new administrative user. This results in full superuser access, even if the user initially registered through the UI as a regular (non-admin) account. A patched version has not been made public at this time.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-57760
reference_id
reference_type
scores
0
value 0.00018
scoring_system epss
scoring_elements 0.05208
published_at 2026-06-12T12:55:00Z
1
value 0.00018
scoring_system epss
scoring_elements 0.05196
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-57760
1
reference_url https://github.com/langflow-ai/langflow/pull/9152
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow/pull/9152
2
reference_url http://github.com/langflow-ai/langflow/pull/9152
reference_id 9152
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-08-25T20:34:06Z/
url http://github.com/langflow-ai/langflow/pull/9152
3
reference_url https://github.com/langflow-ai/langflow/commit/c188ec113c9ca46154ad01d0eded1754cc6bef97
reference_id c188ec113c9ca46154ad01d0eded1754cc6bef97
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-08-25T20:34:06Z/
url https://github.com/langflow-ai/langflow/commit/c188ec113c9ca46154ad01d0eded1754cc6bef97
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-57760
reference_id CVE-2025-57760
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2025-57760
5
reference_url https://github.com/advisories/GHSA-4gv9-mp8m-592r
reference_id GHSA-4gv9-mp8m-592r
reference_type
scores
url https://github.com/advisories/GHSA-4gv9-mp8m-592r
6
reference_url https://github.com/langflow-ai/langflow/security/advisories/GHSA-4gv9-mp8m-592r
reference_id GHSA-4gv9-mp8m-592r
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-08-25T20:34:06Z/
url https://github.com/langflow-ai/langflow/security/advisories/GHSA-4gv9-mp8m-592r
fixed_packages
0
url pkg:pypi/langflow@1.5.1
purl pkg:pypi/langflow@1.5.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1vhk-ax4w-juca
1
vulnerability VCID-64jj-rzvk-33f7
2
vulnerability VCID-6m8d-fx7p-23g4
3
vulnerability VCID-6sd1-av8j-sbdy
4
vulnerability VCID-6y1z-b2ye-jkd6
5
vulnerability VCID-6zu3-1ch5-kucf
6
vulnerability VCID-7g9e-cufb-67bg
7
vulnerability VCID-8fj2-6xd3-t3ac
8
vulnerability VCID-9pmh-48aa-q7d3
9
vulnerability VCID-apy6-s5uk-13hw
10
vulnerability VCID-h5jb-r3s8-gkbq
11
vulnerability VCID-hqcp-zjrm-t3dk
12
vulnerability VCID-hqmp-tfuk-1uh9
13
vulnerability VCID-tfr4-sg8u-xuec
14
vulnerability VCID-tq12-2qw8-2qgz
15
vulnerability VCID-yxtv-rc7j-aka5
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.5.1
aliases CVE-2025-57760, GHSA-4gv9-mp8m-592r
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hrmb-buvy-kuh7
18
url VCID-qk1g-twgk-9yej
vulnerability_id VCID-qk1g-twgk-9yej
summary Langflow through 0.6.19 allows remote code execution if untrusted users are able to reach the "POST /api/v1/custom_component" endpoint and provide a Python script.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-37014
reference_id
reference_type
scores
0
value 0.0596
scoring_system epss
scoring_elements 0.90889
published_at 2026-06-12T12:55:00Z
1
value 0.0596
scoring_system epss
scoring_elements 0.9086
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-37014
1
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/langflow/PYSEC-2024-177.yaml
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/langflow/PYSEC-2024-177.yaml
2
reference_url https://github.com/langflow-ai/langflow/issues/1973
reference_id 1973
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-06-12T14:47:28Z/
url https://github.com/langflow-ai/langflow/issues/1973
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-37014
reference_id CVE-2024-37014
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-37014
4
reference_url https://github.com/advisories/GHSA-qg33-x2c5-6p44
reference_id GHSA-qg33-x2c5-6p44
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-qg33-x2c5-6p44
fixed_packages
0
url pkg:pypi/langflow@1.0.0a3
purl pkg:pypi/langflow@1.0.0a3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1vhk-ax4w-juca
1
vulnerability VCID-64jj-rzvk-33f7
2
vulnerability VCID-6m8d-fx7p-23g4
3
vulnerability VCID-6sd1-av8j-sbdy
4
vulnerability VCID-6y1z-b2ye-jkd6
5
vulnerability VCID-6zu3-1ch5-kucf
6
vulnerability VCID-7g9e-cufb-67bg
7
vulnerability VCID-8fj2-6xd3-t3ac
8
vulnerability VCID-9pmh-48aa-q7d3
9
vulnerability VCID-apy6-s5uk-13hw
10
vulnerability VCID-dyj1-bd1u-xfby
11
vulnerability VCID-fmgm-qx2r-kbev
12
vulnerability VCID-gqz9-n71r-g7dh
13
vulnerability VCID-guzs-mx47-efcn
14
vulnerability VCID-h5jb-r3s8-gkbq
15
vulnerability VCID-hfhf-2k6v-sbcf
16
vulnerability VCID-hqcp-zjrm-t3dk
17
vulnerability VCID-hrmb-buvy-kuh7
18
vulnerability VCID-qk1g-twgk-9yej
19
vulnerability VCID-t5kz-ceey-83em
20
vulnerability VCID-tfr4-sg8u-xuec
21
vulnerability VCID-yxtv-rc7j-aka5
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.0.0a3
1
url pkg:pypi/langflow@1.0.15
purl pkg:pypi/langflow@1.0.15
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1vhk-ax4w-juca
1
vulnerability VCID-64jj-rzvk-33f7
2
vulnerability VCID-6m8d-fx7p-23g4
3
vulnerability VCID-6sd1-av8j-sbdy
4
vulnerability VCID-6y1z-b2ye-jkd6
5
vulnerability VCID-6zu3-1ch5-kucf
6
vulnerability VCID-7g9e-cufb-67bg
7
vulnerability VCID-8fj2-6xd3-t3ac
8
vulnerability VCID-9pmh-48aa-q7d3
9
vulnerability VCID-apy6-s5uk-13hw
10
vulnerability VCID-dyj1-bd1u-xfby
11
vulnerability VCID-gqz9-n71r-g7dh
12
vulnerability VCID-guzs-mx47-efcn
13
vulnerability VCID-h5jb-r3s8-gkbq
14
vulnerability VCID-hfhf-2k6v-sbcf
15
vulnerability VCID-hqcp-zjrm-t3dk
16
vulnerability VCID-hrmb-buvy-kuh7
17
vulnerability VCID-t5kz-ceey-83em
18
vulnerability VCID-tfr4-sg8u-xuec
19
vulnerability VCID-tq12-2qw8-2qgz
20
vulnerability VCID-yxtv-rc7j-aka5
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.0.15
aliases CVE-2024-37014, GHSA-qg33-x2c5-6p44, PYSEC-2024-177
risk_score 4.4
exploitability 0.5
weighted_severity 8.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qk1g-twgk-9yej
19
url VCID-t5kz-ceey-83em
vulnerability_id VCID-t5kz-ceey-83em
summary A vulnerability classified as problematic was found in Langflow up to 1.0.18. Affected by this vulnerability is an unknown functionality of the file \src\backend\base\langflow\interface\utils.py of the component HTTP POST Request Handler. The manipulation of the argument remaining_text leads to inefficient regular expression complexity. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-9277
reference_id
reference_type
scores
0
value 0.0017
scoring_system epss
scoring_elements 0.38015
published_at 2026-06-11T12:55:00Z
1
value 0.0017
scoring_system epss
scoring_elements 0.38191
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-9277
1
reference_url https://github.com/langflow-ai/langflow/blob/main/src/backend/base/langflow/interface/utils.py#L65
reference_id
reference_type
scores
0
value 3.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/langflow-ai/langflow/blob/main/src/backend/base/langflow/interface/utils.py#L65
2
reference_url https://vuldb.com/?ctiid.278659
reference_id ?ctiid.278659
reference_type
scores
0
value 2.3
scoring_system cvssv2
scoring_elements AV:A/AC:M/Au:S/C:N/I:N/A:P
1
value 3.5
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
2
value 3.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
3
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-27T15:01:06Z/
url https://vuldb.com/?ctiid.278659
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-9277
reference_id CVE-2024-9277
reference_type
scores
0
value 3.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-9277
4
reference_url https://github.com/advisories/GHSA-355v-2rjx-fpx7
reference_id GHSA-355v-2rjx-fpx7
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-355v-2rjx-fpx7
5
reference_url https://vuldb.com/?id.278659
reference_id ?id.278659
reference_type
scores
0
value 2.3
scoring_system cvssv2
scoring_elements AV:A/AC:M/Au:S/C:N/I:N/A:P
1
value 3.5
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
2
value 3.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
3
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-27T15:01:06Z/
url https://vuldb.com/?id.278659
6
reference_url https://rumbling-slice-eb0.notion.site/Remote-Redos-in-https-github-com-langflow-ai-langflow-067159ced0d5494e91b06071384969c4?pvs=4
reference_id Remote-Redos-in-https-github-com-langflow-ai-langflow-067159ced0d5494e91b06071384969c4?pvs=4
reference_type
scores
0
value 2.3
scoring_system cvssv2
scoring_elements AV:A/AC:M/Au:S/C:N/I:N/A:P
1
value 3.5
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
2
value 3.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
3
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-27T15:01:06Z/
url https://rumbling-slice-eb0.notion.site/Remote-Redos-in-https-github-com-langflow-ai-langflow-067159ced0d5494e91b06071384969c4?pvs=4
7
reference_url https://vuldb.com/?submit.410043
reference_id ?submit.410043
reference_type
scores
0
value 2.3
scoring_system cvssv2
scoring_elements AV:A/AC:M/Au:S/C:N/I:N/A:P
1
value 3.5
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
2
value 3.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
3
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-27T15:01:06Z/
url https://vuldb.com/?submit.410043
fixed_packages
aliases CVE-2024-9277, GHSA-355v-2rjx-fpx7
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-t5kz-ceey-83em
20
url VCID-tfr4-sg8u-xuec
vulnerability_id VCID-tfr4-sg8u-xuec
summary A vulnerability was detected in langflow-ai langflow up to 1.8.3. The impacted element is the function get_client_ip/install_mcp_config of the file src/backend/base/langflow/api/v1/mcp_projects.py of the component Model Context Protocol Configuration API. Performing a manipulation of the argument X-Forwarded-For results in injection. The attack may be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-6599
reference_id
reference_type
scores
0
value 0.00053
scoring_system epss
scoring_elements 0.16984
published_at 2026-06-12T12:55:00Z
1
value 0.00053
scoring_system epss
scoring_elements 0.16827
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-6599
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-6599
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
1
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
2
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-6599
2
reference_url https://vuldb.com/vuln/358234
reference_id 358234
reference_type
scores
0
value 6.5
scoring_system cvssv2
scoring_elements AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:W/RC:UR
1
value 6.3
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:W/RC:R
2
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
3
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:W/RC:R
4
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
5
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
6
value LOW
scoring_system generic_textual
scoring_elements
7
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T14:24:29Z/
url https://vuldb.com/vuln/358234
3
reference_url https://vuldb.com/submit/791922
reference_id 791922
reference_type
scores
0
value 6.5
scoring_system cvssv2
scoring_elements AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:W/RC:UR
1
value 6.3
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:W/RC:R
2
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
3
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:W/RC:R
4
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
5
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
6
value LOW
scoring_system generic_textual
scoring_elements
7
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T14:24:29Z/
url https://vuldb.com/submit/791922
4
reference_url https://gist.github.com/chenhouser2025/a909c47316b7a0948ee68c109ab747a3
reference_id a909c47316b7a0948ee68c109ab747a3
reference_type
scores
0
value 6.5
scoring_system cvssv2
scoring_elements AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:W/RC:UR
1
value 6.3
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:W/RC:R
2
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:W/RC:R
3
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
4
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
5
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
6
value LOW
scoring_system generic_textual
scoring_elements
7
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T14:24:29Z/
url https://gist.github.com/chenhouser2025/a909c47316b7a0948ee68c109ab747a3
5
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*
reference_id cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*
6
reference_url https://vuldb.com/vuln/358234/cti
reference_id cti
reference_type
scores
0
value 6.5
scoring_system cvssv2
scoring_elements AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:W/RC:UR
1
value 6.3
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:W/RC:R
2
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
3
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:W/RC:R
4
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
5
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
6
value LOW
scoring_system generic_textual
scoring_elements
7
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T14:24:29Z/
url https://vuldb.com/vuln/358234/cti
7
reference_url https://github.com/advisories/GHSA-v66p-f7x3-4794
reference_id GHSA-v66p-f7x3-4794
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-v66p-f7x3-4794
fixed_packages
0
url pkg:pypi/langflow@1.8.4
purl pkg:pypi/langflow@1.8.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-6m8d-fx7p-23g4
1
vulnerability VCID-7g9e-cufb-67bg
2
vulnerability VCID-9pmh-48aa-q7d3
3
vulnerability VCID-hqmp-tfuk-1uh9
4
vulnerability VCID-tq12-2qw8-2qgz
5
vulnerability VCID-yxtv-rc7j-aka5
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.8.4
aliases CVE-2026-6599, GHSA-v66p-f7x3-4794
risk_score 3.0
exploitability 0.5
weighted_severity 5.9
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tfr4-sg8u-xuec
21
url VCID-yxtv-rc7j-aka5
vulnerability_id VCID-yxtv-rc7j-aka5
summary Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.9.0, the Agentic Assistant feature in Langflow executes LLM-generated Python code during its validation phase. Although this phase appears intended to validate generated component code, the implementation reaches dynamic execution sinks and instantiates the generated class server-side. In deployments where an attacker can access the Agentic Assistant feature and influence the model output, this can result in arbitrary server-side Python execution. Version 1.9.0 fixes the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33873
reference_id
reference_type
scores
0
value 0.00065
scoring_system epss
scoring_elements 0.20602
published_at 2026-06-12T12:55:00Z
1
value 0.00065
scoring_system epss
scoring_elements 0.20426
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33873
1
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/langflow/PYSEC-2026-82.yaml
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/langflow/PYSEC-2026-82.yaml
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33873
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33873
3
reference_url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/services/assistant_service.py#L142-L156
reference_id assistant_service.py#L142-L156
reference_type
scores
0
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/
url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/services/assistant_service.py#L142-L156
4
reference_url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/services/assistant_service.py#L259-L300
reference_id assistant_service.py#L259-L300
reference_type
scores
0
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/
url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/services/assistant_service.py#L259-L300
5
reference_url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/services/assistant_service.py#L58-L79
reference_id assistant_service.py#L58-L79
reference_type
scores
0
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/
url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/services/assistant_service.py#L58-L79
6
reference_url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/lfx/src/lfx/services/settings/auth.py#L71-L87
reference_id auth.py#L71-L87
reference_type
scores
0
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/
url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/lfx/src/lfx/services/settings/auth.py#L71-L87
7
reference_url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/helpers/code_extraction.py#L11-L53
reference_id code_extraction.py#L11-L53
reference_type
scores
0
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/
url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/helpers/code_extraction.py#L11-L53
8
reference_url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/api/utils/core.py#L38
reference_id core.py#L38
reference_type
scores
0
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/
url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/api/utils/core.py#L38
9
reference_url https://github.com/advisories/GHSA-v8hw-mh8c-jxfc
reference_id GHSA-v8hw-mh8c-jxfc
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-v8hw-mh8c-jxfc
10
reference_url https://github.com/langflow-ai/langflow/security/advisories/GHSA-v8hw-mh8c-jxfc
reference_id GHSA-v8hw-mh8c-jxfc
reference_type
scores
0
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/
url https://github.com/langflow-ai/langflow/security/advisories/GHSA-v8hw-mh8c-jxfc
11
reference_url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/api/v1/login.py#L96-L135
reference_id login.py#L96-L135
reference_type
scores
0
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/
url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/api/v1/login.py#L96-L135
12
reference_url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/api/router.py#L252-L297
reference_id router.py#L252-L297
reference_type
scores
0
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/
url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/api/router.py#L252-L297
13
reference_url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/api/schemas.py#L20-L31
reference_id schemas.py#L20-L31
reference_type
scores
0
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/
url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/api/schemas.py#L20-L31
14
reference_url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/services/auth/utils.py#L156-L163
reference_id utils.py#L156-L163
reference_type
scores
0
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/
url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/services/auth/utils.py#L156-L163
15
reference_url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/services/auth/utils.py#L39-L53
reference_id utils.py#L39-L53
reference_type
scores
0
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/
url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/services/auth/utils.py#L39-L53
16
reference_url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/lfx/src/lfx/custom/validate.py#L241-L272
reference_id validate.py#L241-L272
reference_type
scores
0
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/
url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/lfx/src/lfx/custom/validate.py#L241-L272
17
reference_url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/lfx/src/lfx/custom/validate.py#L394-L399
reference_id validate.py#L394-L399
reference_type
scores
0
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/
url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/lfx/src/lfx/custom/validate.py#L394-L399
18
reference_url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/lfx/src/lfx/custom/validate.py#L441-L443
reference_id validate.py#L441-L443
reference_type
scores
0
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/
url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/lfx/src/lfx/custom/validate.py#L441-L443
19
reference_url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/helpers/validation.py#L27-L47
reference_id validation.py#L27-L47
reference_type
scores
0
value 9.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-01T03:55:31Z/
url https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/helpers/validation.py#L27-L47
fixed_packages
0
url pkg:pypi/langflow@1.9.0
purl pkg:pypi/langflow@1.9.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-6m8d-fx7p-23g4
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langflow@1.9.0
aliases CVE-2026-33873, GHSA-v8hw-mh8c-jxfc, PYSEC-2026-82
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-yxtv-rc7j-aka5
Fixing_vulnerabilities
Risk_score10.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/langflow@0.0.32