CVE-2026-3346

Summary: CVE-2026-3346 affects IBM Langflow Desktop 1.6.0–1.8.4. Affected component is the Markdown rendering pipeline via rehypeRaw, where unsafe handling allows an authenticated user to inject arbitrary JavaScript through a stored XSS vector, potentially leading to credentials disclosure within...

CVE-2026-3346 Stored Cross-Site Scripting (XSS) in Langflow Markdown Rendering via rehypeRaw

IBM Langflow Desktop 1.6.0 through 1.8.4 Lanflow is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted...

Security Bulletin: Stored Cross-Site Scripting (XSS) in Langflow Markdown Rendering via rehypeRaw

Summary A stored cross-site scripting XSS vulnerability in Langflow allows attackers to inject and execute arbitrary HTML/JavaScript through the Playground event-streaming and Markdown rendering pipeline due to unsafe use of rehypeRaw without sanitization, potentially leading to session theft,...

CVE-2026-28509

LangBot is a global IM bot platform designed for LLMs. Prior to version 4.8.7, LangBot’s web UI renders user-supplied raw HTML using rehypeRaw, which can lead to a cross-site scripting XSS vulnerability. This issue has been patched in version 4.8.7...

EUVD-2026-9985

LangBot is a global IM bot platform designed for LLMs. Prior to version 4.8.7, LangBot’s web UI renders user-supplied raw HTML using rehypeRaw, which can lead to a cross-site scripting XSS vulnerability. This issue has been patched in version 4.8.7...

PT-2026-23641

Name of the Vulnerable Software and Affected Versions LangBot versions prior to 4.8.7 Description LangBot is a global IM bot platform designed for LLMs. Prior to version 4.8.7, the web UI renders user-supplied raw HTML using rehypeRaw, which can lead to a cross-site scripting XSS issue...