{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37304?format=json","vulnerability_id":"VCID-3k4a-kytp-kbhx","summary":"LangChain is a framework for building agents and LLM-powered applications. Prior to langchain-text-splitters\n 1.1.2, HTMLHeaderTextSplitter.split_text_from_url() validated the initial URL using validate_safe_url() but then performed the fetch with requests.get() with redirects enabled (the default). Because redirect targets were not revalidated, a URL pointing to an attacker-controlled server could redirect to internal, localhost, or cloud metadata endpoints, bypassing SSRF protections. The response body is parsed and returned as Document objects to the calling application code. Whether this constitutes a data exfiltration path depends on the application: if it exposes Document contents (or derivatives) back to the requester who supplied the URL, sensitive data from internal endpoints could be leaked. Applications that store or process Documents internally without returning raw content to the requester are not directly exposed to data exfiltration through this issue. This vulnerability is fixed in 1.1.2.","aliases":[{"alias":"CVE-2026-41481"},{"alias":"GHSA-fv5p-p927-qmxr"},{"alias":"PYSEC-2026-77"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/49707?format=json","purl":"pkg:pypi/langchain-text-splitters@1.1.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain-text-splitters@1.1.2"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/49681?format=json","purl":"pkg:pypi/langchain-text-splitters@0.0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3k4a-kytp-kbhx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain-text-splitters@0.0.1"},{"url":"http://public2.vulnerablecode.io/api/packages/49682?format=json","purl":"pkg:pypi/langchain-text-splitters@0.0.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3k4a-kytp-kbhx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain-text-splitters@0.0.2"},{"url":"http://public2.vulnerablecode.io/api/packages/49683?format=json","purl":"pkg:pypi/langchain-text-splitters@0.2.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3k4a-kytp-kbhx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain-text-splitters@0.2.0"},{"url":"http://public2.vulnerablecode.io/api/packages/49684?format=json","purl":"pkg:pypi/langchain-text-splitters@0.2.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3k4a-kytp-kbhx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain-text-splitters@0.2.1"},{"url":"http://public2.vulnerablecode.io/api/packages/49685?format=json","purl":"pkg:pypi/langchain-text-splitters@0.2.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3k4a-kytp-kbhx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain-text-splitters@0.2.2"},{"url":"http://public2.vulnerablecode.io/api/packages/49686?format=json","purl":"pkg:pypi/langchain-text-splitters@0.2.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3k4a-kytp-kbhx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain-text-splitters@0.2.4"},{"url":"http://public2.vulnerablecode.io/api/packages/49687?format=json","purl":"pkg:pypi/langchain-text-splitters@0.3.0.dev0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3k4a-kytp-kbhx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain-text-splitters@0.3.0.dev0"},{"url":"http://public2.vulnerablecode.io/api/packages/49688?format=json","purl":"pkg:pypi/langchain-text-splitters@0.3.0.dev1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3k4a-kytp-kbhx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain-text-splitters@0.3.0.dev1"},{"url":"http://public2.vulnerablecode.io/api/packages/49689?format=json","purl":"pkg:pypi/langchain-text-splitters@0.3.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3k4a-kytp-kbhx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain-text-splitters@0.3.0"},{"url":"http://public2.vulnerablecode.io/api/packages/49690?format=json","purl":"pkg:pypi/langchain-text-splitters@0.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3k4a-kytp-kbhx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain-text-splitters@0.3.1"},{"url":"http://public2.vulnerablecode.io/api/packages/49691?format=json","purl":"pkg:pypi/langchain-text-splitters@0.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3k4a-kytp-kbhx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain-text-splitters@0.3.2"},{"url":"http://public2.vulnerablecode.io/api/packages/49692?format=json","purl":"pkg:pypi/langchain-text-splitters@0.3.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3k4a-kytp-kbhx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain-text-splitters@0.3.3"},{"url":"http://public2.vulnerablecode.io/api/packages/49693?format=json","purl":"pkg:pypi/langchain-text-splitters@0.3.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3k4a-kytp-kbhx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain-text-splitters@0.3.4"},{"url":"http://public2.vulnerablecode.io/api/packages/49694?format=json","purl":"pkg:pypi/langchain-text-splitters@0.3.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3k4a-kytp-kbhx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain-text-splitters@0.3.5"},{"url":"http://public2.vulnerablecode.io/api/packages/49695?format=json","purl":"pkg:pypi/langchain-text-splitters@0.3.6rc1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3k4a-kytp-kbhx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain-text-splitters@0.3.6rc1"},{"url":"http://public2.vulnerablecode.io/api/packages/49696?format=json","purl":"pkg:pypi/langchain-text-splitters@0.3.6rc2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3k4a-kytp-kbhx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain-text-splitters@0.3.6rc2"},{"url":"http://public2.vulnerablecode.io/api/packages/49697?format=json","purl":"pkg:pypi/langchain-text-splitters@0.3.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3k4a-kytp-kbhx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain-text-splitters@0.3.6"},{"url":"http://public2.vulnerablecode.io/api/packages/49698?format=json","purl":"pkg:pypi/langchain-text-splitters@0.3.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3k4a-kytp-kbhx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain-text-splitters@0.3.7"},{"url":"http://public2.vulnerablecode.io/api/packages/49699?format=json","purl":"pkg:pypi/langchain-text-splitters@0.3.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3k4a-kytp-kbhx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain-text-splitters@0.3.8"},{"url":"http://public2.vulnerablecode.io/api/packages/49700?format=json","purl":"pkg:pypi/langchain-text-splitters@0.3.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3k4a-kytp-kbhx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain-text-splitters@0.3.9"},{"url":"http://public2.vulnerablecode.io/api/packages/49701?format=json","purl":"pkg:pypi/langchain-text-splitters@0.3.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3k4a-kytp-kbhx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain-text-splitters@0.3.10"},{"url":"http://public2.vulnerablecode.io/api/packages/49702?format=json","purl":"pkg:pypi/langchain-text-splitters@0.3.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3k4a-kytp-kbhx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain-text-splitters@0.3.11"},{"url":"http://public2.vulnerablecode.io/api/packages/49703?format=json","purl":"pkg:pypi/langchain-text-splitters@1.0.0a1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3k4a-kytp-kbhx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain-text-splitters@1.0.0a1"},{"url":"http://public2.vulnerablecode.io/api/packages/49704?format=json","purl":"pkg:pypi/langchain-text-splitters@1.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3k4a-kytp-kbhx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain-text-splitters@1.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/49705?format=json","purl":"pkg:pypi/langchain-text-splitters@1.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3k4a-kytp-kbhx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain-text-splitters@1.1.0"},{"url":"http://public2.vulnerablecode.io/api/packages/49706?format=json","purl":"pkg:pypi/langchain-text-splitters@1.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3k4a-kytp-kbhx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain-text-splitters@1.1.1"}],"references":[{"reference_url":"https://github.com/langchain-ai/langchain/security/advisories/GHSA-fv5p-p927-qmxr","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"}],"url":"https://github.com/langchain-ai/langchain/security/advisories/GHSA-fv5p-p927-qmxr"}],"weaknesses":[],"exploits":[],"severity_range_score":"6.5 - 6.5","exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3k4a-kytp-kbhx"}