ROOT-APP-NPM-CVE-2026-40190 CVE-2026-40190 in @rootio/langsmith - Patched by Root

Root has patched CVE-2026-40190 in the @rootio/langsmith package for Root:npm. Multiple fixed versions available...

CVE-2026-40190 vulnerabilities

Vulnerabilities for packages: langfuse...

CVE-2026-40190 vulnerabilities

Vulnerabilities for packages: langfuse, langfuse-fips, librechat, kibana...

0xgasless-mcp (>=1.0.3 <=1.0.5), 4d-vector-search (>=1.0.0 <=1.0.1) +3114 more potentially affected by CVE-2026-40190 via langsmith (>=0.0.32 <=0.4.12)

langsmith NPM version =0.0.32, =1.0.3, =1.0.0, =1.11.0, =0.0.5, =0.0.1, =1.0.0, =0.0.0-dev-nicolas-fix-publishing-aurora-mcp-1750279939, =0.0.65, =1.0.6, =0.0.1, =1.0.0, =1.0.0, =1.0.0, =1.0.1 and more Source cves: CVE-2026-40190 Source advisory: SNYK:JS-LANGSMITH-15969264...

CVE-2026-40190

LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to 0.5.18, the LangSmith JavaScript/TypeScript SDK langsmith contains an incomplete prototype pollution fix in its internally vendored lodash set utility. The baseAssignValue function only guards against the...

CVE-2026-40190

creationtimestamp| type| source ---|---|--- 2026-04-09 18:42:43+00:00| published-proof-of-concept| https://github.com/langchain-ai/langsmith-sdk/security/advisories/GHSA-fw9q-39r9-c252 2026-04-10 22:10:52+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mj6dnzceml2x...