3 matches found
CVE-2026-13448 Langflow is affected by remote code execution, denial of service, path traversal, and exposed credentials due to multiple unauthenticated and insufficiently authorized API endpoints
IBM Langflow OSS 1.0.0 through 1.10.1 Lanflow OSS contains an unauthenticated remote code execution vulnerability in the public flow build endpoint /api/v1/buildpublictmp/flowid/flow . The vulnerability stems from an incomplete denylist in the validatepublicflownocodeexecution function that fails...
CVE-2026-41137 Flowise: Code Injection in CSVAgent leads to Authenticated RCE
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide a command injection payload that will get interpolated and executed by the...
CVE-2026-41137
Flowise CVE-2026-41137 affects the Flowise UI stack, specifically the CSVAgent component, which allows providing a custom Pandas CSV read code. The lack of sanitization enables a command-injection payload to be interpolated and executed by the server. This is documented across multiple sources, w...