6 matches found
CVE-2026-33497
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.1, in the downloadprofilepicture function of the /profilepictures/foldername/filename endpoint, the foldername and filename parameters are not strictly filtered, which allows the secretkey to be re...
Arbitrary Code Injection
Overview lfx is a lfx is a command-line tool for running Langflow workflows. It provides two main commands: serve and run. Affected versions of this package are vulnerable to Arbitrary Code Injection via the allowdangerouscode=True which automatically exposes LangChain’s Python REPL tool...
Arbitrary Code Injection
Overview lfx is a lfx is a command-line tool for running Langflow workflows. It provides two main commands: serve and run. Affected versions of this package are vulnerable to Arbitrary Code Injection via the code parameter in the validate endpoint. An attacker can execute arbitrary code with root...
Arbitrary Code Injection
Overview lfx is a lfx is a command-line tool for running Langflow workflows. It provides two main commands: serve and run. Affected versions of this package are vulnerable to Arbitrary Code Injection via the handling of Python function components. An attacker can execute arbitrary code by...
Eval Injection
Overview lfx is a lfx is a command-line tool for running Langflow workflows. It provides two main commands: serve and run. Affected versions of this package are vulnerable to Eval Injection via the evalcustomcomponentcode function. An attacker can execute arbitrary code by supplying a crafted...
The vulnerability of the HTTP Request Handler component of the Langflow agent and workflow creation/ deployment tool allows a attacker to execute arbitrary code.
The vulnerability of the HTTP Request Handler component of the Langflow agent and process creation/ deployment tool is related to the lack of authentication for the critical function. Exploiting this vulnerability allows a remote attacker to execute arbitrary code...