Lucene search
K

16 matches found

NVD
NVD
added 2 days ago5 views

CVE-2026-7871

IBM Langflow OSS 1.0.0 through 1.10.0 allows users with Redis access to execute arbitrary code with full application privileges, compromising all secrets, data, and system integrity...

9.8CVSS0.00386EPSS
Exploits0References1
Cvelist
Cvelist
added 2 days ago29 views

CVE-2026-10560 Unauthenticated Access to Private Flow Build Events and Cancellation in Langflow OSS

IBM Langflow OSS 1.0.0 through 1.9.6 contains a missing authentication vulnerability in /api/v1/buildpublictmp/ endpoints that allows an unauthenticated attacker to read build event data or cancel jobs using a valid job identifier, resulting in information disclosure and denial of service...

8.2CVSS0.00252EPSS
Exploits0References1
EUVD
EUVD
added 2 days ago4 views

EUVD-2026-40401

IBM Langflow OSS 1.0.0 through 1.9.6 contains a missing authentication vulnerability in /api/v1/buildpublictmp/ endpoints that allows an unauthenticated attacker to read build event data or cancel jobs using a valid job identifier, resulting in information disclosure and denial of service...

8.2CVSS5.8AI score0.00252EPSS
Exploits0References1
CVE
CVE
added 2 days ago15 views

CVE-2026-7663

IBM Langflow OSS 1.0.0 through 1.9.6 could allow unauthenticated attackers to access protected MCP project resources and execute MCP operations due to improper authorization enforcement in the Streamable MCP transport endpoint...

9.1CVSS5.8AI score0.0024EPSS
Exploits0References1
EUVD
EUVD
added 2 days ago4 views

EUVD-2026-40380

IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow disclosure of all stored credentials due to the use of a weak and reversible key derivation mechanism for encryption at rest...

9.1CVSS5.8AI score0.00164EPSS
Exploits0References1
IBM Security Bulletins
IBM Security Bulletins
added 3 days ago5 views

Security Bulletin: Insecure Deserialization in Redis Cache Backend

Summary A deserialization vulnerability was identified in the Redis cache service that could allow attackers with network access to the Redis instance to execute arbitrary code. The cache service used dill.loads to deserialize cached values without integrity verification, enabling attackers to...

9.8CVSS6.2AI score0.00386EPSS
Exploits0Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added last week3 views

Security Bulletin: SSRF Vulnerability in Langflow OSS Legacy Components Bypasses Protection

Summary Langflow OSS versions = 1.9.3 contain SSRF vulnerability in legacy RSS Reader and SearXNG components that bypass SSRF protection introduced in v1.9.3. RSSReaderComponent calls requests.getself.rssurl directly on user input without validateurlforssrf check, completely bypassing protection...

8.2CVSS5.9AI score0.0021EPSS
Exploits0Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2026/06/23 4:8 p.m.3 views

Security Bulletin: DNS Rebinding TOCTOU Bypass of SSRF Protection in Langflow OSS URL Component

Summary Langflow OSS contains DNS rebinding TOCTOU vulnerability bypassing SSRF protection. URL component validates URLs with validateurlforssrf but fetches via RecursiveUrlLoader performing independent DNS resolution, creating exploitable TOCTOU window. Maintainers fixed identical issue in...

7.1CVSS5.8AI score0.00145EPSS
Exploits0Affected Software1
NVD
NVD
added 2026/06/22 4:16 p.m.10 views

CVE-2026-7664

IBM Langflow OSS 1.0.0 through 1.8.4 could allow unauthenticated attackers to access protected MCP project resources and execute MCP operations due to improper authorization enforcement in the Streamable MCP transport endpoint...

9.8CVSS0.00277EPSS
Exploits0References1
CVE
CVE
added 2026/06/22 2:10 p.m.12 views

CVE-2026-7664

Summary: IBM Langflow OSS versions 1.0.0–1.8.4 are affected by an unauthenticated access issue due to improper authorization enforcement on the Streamable MCP transport endpoint, potentially allowing access to protected MCP project resources and execution of MCP operations. Affected products/vers...

9.8CVSS5.9AI score0.00277EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 2026/06/22 1:22 p.m.8 views

EUVD-2026-38245

IBM Langflow OSS 1.0.0 through 1.9.3 has an vulnerability due to an improper isolation of Python execution combined with an authentication bypass that allows an unauthenticated attacker to execute arbitrary code on the host system, resulting in complete compromise...

10CVSS6.4AI score0.00502EPSS
Exploits0References1
IBM Security Bulletins
IBM Security Bulletins
added 2026/06/21 3:50 p.m.3 views

Security Bulletin: Unauthenticated Remote Code Execution in Langflow OSS PythonREPLComponent via Builtins Injection

Summary Langflow OSS contains unauthenticated RCE vulnerability in PythonREPLComponent "Python Interpreter". Component's getglobals builds restricted globals dict from globalimports whitelist default: "math" but never sets globals"builtins" = . CPython's exec automatically inserts full builtins...

10CVSS6.4AI score0.00502EPSS
Exploits0Affected Software1
CVE
CVE
added 2026/06/11 2:41 p.m.27 views

CVE-2026-7787

CVE-2026-7787 affects Langflow OSS versions 1.0.0–1.9.1. A session ID namespace bypass in the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows unauthenticated attackers to read or modify chat history by overriding the session_id used during flow execution when a PUBLIC flow includes a...

8.1CVSS5.4AI score0.00248EPSS
Exploits0References1Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2026/06/08 6:38 p.m.6 views

Security Bulletin: Langflow OSS affected by vulnerabilies in Axios versions prior to 1.15.0

Summary Langflow OSS affected by vulnerabilies in Axios versions prior to 1.15.0 Vulnerability Details CVEID:CVE-2025-62718 DESCRIPTION: Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checki...

9.9CVSS5.5AI score0.01186EPSS
Exploits1Affected Software1
Cvelist
Cvelist
added 2026/05/27 1:16 p.m.46 views

CVE-2026-7528 Unauthenticated File Upload Vulnerability Allows Disk Space Exhaustion and Path Disclosure in Langflow OSS

IBM Langflow OSS 1.0.0 through 1.9.0 could allow a denial of service due to uncontrolled resource consumption...

7.1CVSS0.00215EPSS
Exploits0References1
IBM Security Bulletins
IBM Security Bulletins
added 2026/04/27 5:44 p.m.8 views

Security Bulletin: Langflow OSS Authenticated Remote Code Execution (RCE) vulnerability exists in the validate_code function

Summary Langflow OSS contains a critical vulnerability in code validate endpoint due to unsafe use of Python's exec function within the validatecode routine. While the feature is intended to validate user-supplied function definitions, it fails to account for Python decorators, which are executed...

8.8CVSS7AI score0.0047EPSS
Exploits0Affected Software1
Rows per page
Query Builder