Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a Server-Side Request Forgery in LangChain [CVE-2026-26013]

Summary IBM Watson Speech Services Cartridge is vulnerable to a Server-Side Request Forgery in LangChain, due to a faulty method that fetches arbitrary imageurl values without validation when computing token counts for vision-enabled models. CVE-2026-26013. LangChain is used in our speech runtime...

PYSEC-2026-77

LangChain is a framework for building agents and LLM-powered applications. Prior to langchain-text-splitters 1.1.2, HTMLHeaderTextSplitter.splittextfromurl validated the initial URL using validatesafeurl but then performed the fetch with requests.get with redirects enabled the default. Because...

Security Bulletin: IBM watsonx.data integration has several vulnerabilities due to open source packages (CVE-2018-20225, CVE-2025-6985, CVE-2025-54368)

Summary Open source packages are used as part of the overall processing in IBM watsonx.data integration. Vulnerability Details CVEID:CVE-2018-20225 DESCRIPTION: An issue was discovered in pip all versions because it installs the version with the highest version number, even if the user had intend...

Security Bulletin: IBM Rhapsody Systems Engineering is using langchain-0.3.30 which is vulnerable to CVE-2025-68665

Summary A security vulnerability was identified in the Langchain OSS package used in our product. The issue has been resolved by removing the vulnerable package and all LangChain-related dependencies from the codebase. Vulnerability Details CVEID:CVE-2025-68665 DESCRIPTION: LangChain is a framewo...

Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to multiple vulnerabilities in Node.js and LangChain

Summary Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to multiple vulnerabilities in Node.js and LangChain. CVE-2025-65945, CVE-2025-68664, CVE-2025-12758 The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2025-65945 DESCRIPTION:...

CVE-2024-58340

LangChain versions up to and including 0.3.1 contain a regular expression denial-of-service ReDoS vulnerability in the MRKLOutputParser.parse method libs/langchain/langchain/agents/mrkl/outputparser.py. The parser applies a backtracking-prone regular expression when extracting tool actions from...

CVE-2024-2057

A vulnerability was found in LangChain langchaincommunity 0.0.26. It has been classified as critical. Affected is the function loadlocal in the library libs/community/langchaincommunity/retrievers/tfidf.py of the component TFIDFRetriever. The manipulation leads to server-side request forgery. It ...

CVE-2025-68665 LangChain serialization injection vulnerability enables secret extraction

LangChain is a framework for building LLM-powered applications. Prior to @langchain/core versions 0.3.80 and 1.1.8, and prior to langchain versions 0.3.37 and 1.2.3, a serialization injection vulnerability exists in LangChain JS's toJSON method and subsequently when string-ifying objects using...

CVE-2025-68664 LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs

LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain's dumps and dumpd functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries...

@alvedder/deepagents (>=1.8.1-alvedder.0 <=1.8.3-alvedder.0), @axiom-lattice/agent-eval (>=2.1.9 <=2.1.51) +38 more potentially affected by CVE-2025-68665 via langchain (>=1.0.2 <=1.2.27)

langchain NPM version =1.0.2, =1.8.1-alvedder.0, =2.1.9, =2.1.0, =1.0.11, =2.1.0, =1.0.1, =1.0.0, =1.0.0, =0.1.3, =1.0.80, =3.66.0, =3.66.0, =1.0.0, =0.1.0, =0.1.1 and more Source cves: CVE-2025-68665 Source advisory: OSV:GHSA-R399-636X-V7F6...

10minions-engine (>=0.0.1 <=0.0.4), @0xd541ecb3/byte-babe (>=1.0.0 <=1.2.1) +727 more potentially affected by CVE-2025-68665 via langchain (>=0.0.100 <=0.3.35)

langchain NPM version =0.0.100, =0.0.1, =1.0.0, =0.0.1, =0.0.6, =0.0.9, =0.0.3, =0.0.1, =0.1.4, =3.0.0-beta.65.0, =0.0.11, =0.0.0, =0.0.2-alpha, =0.0.33-alpha2, =0.4.3-beta.1 and more Source cves: CVE-2025-68665 Source advisory: OSV:GHSA-R399-636X-V7F6...

EUVD-2025-198318

LangChain is a framework for building agents and LLM-powered applications. From versions 0.3.79 and prior and 1.0.0 to 1.0.6, a template injection vulnerability exists in LangChain's prompt template system that allows attackers to access Python object internals through template syntax. This...

EUVD-2023-0117

Malicious code in bioql PyPI...

EUVD-2023-0118

Malicious code in bioql PyPI...

EUVD-2023-0115

Malicious code in bioql PyPI...

EUVD-2024-2130

Malicious code in bioql PyPI...

EUVD-2023-0121

Malicious code in bioql PyPI...

EUVD-2023-0119

Malicious code in bioql PyPI...

EUVD-2024-0987

Malicious code in bioql PyPI...

EUVD-2023-0113

Malicious code in bioql PyPI...