ROOT-APP-PYPI-CVE-2026-41481 CVE-2026-41481 in rootio-langchain-text-splitters - Patched by Root

Root has patched CVE-2026-41481 in the rootio-langchain-text-splitters package for Root:PyPI. Multiple fixed versions available...

CVE-2026-41481 vulnerabilities

Vulnerabilities for packages: py3-langchain-text-splitters, open-webui...

CVE-2026-41481 vulnerabilities

Vulnerabilities for packages: open-webui, py3-langchain-text-splitters...

CVE-2026-41481

A flaw was found in LangChain and langchain-text-splitters. This vulnerability, a Server-Side Request Forgery SSRF bypass, allows a remote attacker to redirect a seemingly safe URL to internal network resources. By exploiting unvalidated redirects, an attacker could access sensitive data from...

a-mailx (=0.1.0), a2a-client-handler (=0.1.0) +1329 more potentially affected by CVE-2026-41481 via langchain-text-splitters (>=0.0.1 <=1.1.1)

langchain-text-splitters PYPI version =0.0.1, =0.1.0, =0.1.3, =0.1.0, =0.1.0b0, =0.0.1, =4.8.2, =0.0.1a1, =0.1.3, =0.1.0, =0.1.0, =1.0.0rc1, =2.6.1 and more Source cves: CVE-2026-41481 Source advisory: OSV:PYSEC-2026-77...

langchain-text-splitters 代码问题漏洞

langchain-text-splitters is a Python package open-sourced by LangChain. Versions of langchain-text-splitters prior to 1.1.2 had code vulnerabilities. These vulnerabilities stemmed from the use of the splittextfromurl method in HTMLHeaderTextSplitter, which initiated a redirection after verifying...

a-mailx (=0.1.0), a2a-client-handler (=0.1.0) +1329 more potentially affected by CVE-2026-41481 via langchain-text-splitters (>=0.0.1 <=1.1.1)

langchain-text-splitters PYPI version =0.0.1, =0.1.0, =0.1.3, =0.1.0, =0.1.0b0, =0.0.1, =4.8.2, =0.0.1a1, =0.1.3, =0.1.0, =0.1.0, =1.0.0rc1, =2.6.1 and more Source cves: CVE-2026-41481 Source advisory: OSV:GHSA-FV5P-P927-QMXR...

agent-nexus-cli (>=0.1.0 <=0.1.31), agentiva (>=0.1.0 <=0.1.5) +22 more potentially affected by CVE-2026-41481 via langchain-text-splitters (>=1.0.0 <=1.1.1)

langchain-text-splitters PYPI version =1.0.0, =0.1.0, =0.1.0, =3.0.3, =0.1.0, =0.1.0, =0.4.0, =0.8.0, =1.10.5, =0.6.1, =0.6.43, =0.8.8 and more Source cves: CVE-2026-41481 Source advisory: SNYK:PYTHON-LANGCHAINTEXTSPLITTERS-16095053...

Server-side Request Forgery (SSRF)

Overview langchain-text-splitters is a LangChain text splitting utilities Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the splittextfromurl function. An attacker can access internal network resources and potentially exfiltrate sensitive data by supplying...

GHSA-M42M-M8CR-8M58 vulnerabilities

Vulnerabilities for packages: py3-langchain-text-splitters, open-webui...

LangChain Text Splitters is vulnerable to XML External Entity (XXE) attacks due to unsafe XSLT parsing

The HTMLSectionSplitter class in langchain-text-splitters is vulnerable to XML External Entity XXE attacks due to unsafe XSLT parsing. This vulnerability arises because the class allows the use of arbitrary XSLT stylesheets, which are parsed using lxml.etree.parse and lxml.etree.XSLT without any...

a2a-client-handler (=0.1.0), aa-rag (>=0.1.0 <=0.4.3) +1309 more potentially affected by CVE-2025-6985 via langchain-text-splitters (>=0.0.1 <=0.3.8)

langchain-text-splitters PYPI version =0.0.1, =0.1.0, =0.1.3, =0.1.0, =0.1.0b0, =0.0.1, =4.8.2, =0.0.1a1, =0.1.0, =0.1.0, =1.0.0rc1, =3.2.0, =0.1.0, =0.1.3 and more Source cves: CVE-2025-6985 Source advisory: OSV:GHSA-M42M-M8CR-8M58...

CVE-2025-6985

The HTMLSectionSplitter class in langchain-text-splitters version 0.3.8 is vulnerable to XML External Entity XXE attacks due to unsafe XSLT parsing. This vulnerability arises because the class allows the use of arbitrary XSLT stylesheets, which are parsed using lxml.etree.parse and lxml.etree.XSL...

CVE-2025-6985

The CVE-2025-6985 entry concerns LangChain Text Splitters (langchain-text-splitters) v0.3.8, with an XML External Entity (XXE) risk due to unsafe XSLT parsing. The connected docs explain that arbitrary XSLT stylesheets are parsed using lxml.etree.parse() and lxml.etree.XSLT() without hardening, a...

langchain-text-splitters 代码问题漏洞

langchain-text-splitters is a Python package open-sourced by LangChain. A code issue vulnerability exists in langchain-text-splitters version 0.3.8, which stems from the HTMLSectionSplitter class allowing the use of arbitrary XSLT stylesheets, which could lead to an XML External Entity Attack,...

a2a-client-handler (=0.1.0), aa-rag (>=0.1.0 <=0.4.3) +1309 more potentially affected by CVE-2025-6985 via langchain-text-splitters (>=0.0.1 <=0.3.8)

langchain-text-splitters PYPI version =0.0.1, =0.1.0, =0.1.3, =0.1.0, =0.1.0b0, =0.0.1, =4.8.2, =0.0.1a1, =0.1.0, =0.1.0, =1.0.0rc1, =3.2.0, =0.1.0, =0.1.3 and more Source cves: CVE-2025-6985 Source advisory: SNYK:PYTHON-LANGCHAINTEXTSPLITTERS-12704815...

XML External Entity (XXE) Injection

Overview langchain-text-splitters is a LangChain text splitting utilities Affected versions of this package are vulnerable to XML External Entity XXE Injection due to insecure XML parser configurations and the presence of the xsltpath parameter in the HTMLSectionSplitter class. Details XXE...