Exploit for Code Injection in Langflow

CVE-2026-33017 — Langflow Unauthenticated Remote Code Executio...

📄 Langflow 1.8.1 Remote Code Execution

This Python script is a multi-threaded tool targeting a suspected vulnerability in Langflow versions 1.8.1 and below that allows unauthenticated remote code execution through unsafe execution of CustomComponent code during flow compilation...

Malicious code in sample-custom-component (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ade5f035c4d3f9fe74cfc0626c8ac011eeea6e88040376a03abee9cdf05290b7 The package sample-custom-component was found to contain malicious code. Source: ghsa-malware...

MAL-2026-1032 Malicious code in sample-custom-component (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ade5f035c4d3f9fe74cfc0626c8ac011eeea6e88040376a03abee9cdf05290b7 The package sample-custom-component was found to contain malicious code. Source: ghsa-malware...

CVE-2026-0769

Langflow evalcustomcomponentcode Eval Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the...

Eval Injection

Overview langflow is an A Python package with a built-in web application Affected versions of this package are vulnerable to Eval Injection via the evalcustomcomponentcode function. An attacker can execute arbitrary code by supplying a crafted string that is evaluated without proper validation...

Eval Injection

Overview lfx is a lfx is a command-line tool for running Langflow workflows. It provides two main commands: serve and run. Affected versions of this package are vulnerable to Eval Injection via the evalcustomcomponentcode function. An attacker can execute arbitrary code by supplying a crafted...

CVE-2026-0769 Langflow eval_custom_component_code Eval Injection Remote Code Execution Vulnerability

Langflow evalcustomcomponentcode Eval Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the...

CVE-2026-0769

CVE-2026-0769 (Langflow) is a remote-code-execution vulnerability in the Langflow project related to the function that handles eval_custom_component_code. The flaw stems from improper validation of a user-supplied string before it is used to execute Python code, allowing an attacker to run arbitr...

Langflow security vulnerabilities

Langflow is an open-source visualization framework developed by Langflow for building multi-agent and RAG applications. Langflow has a security vulnerability, which stems from the lack of validation for strings provided by users in the implementation of the evalcustomcomponentcode function. This...

(0Day) Langflow eval_custom_component_code Eval Injection Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of evalcustomcomponentcode function. The issue results from the lack of prop...

PT-2026-1999

Name of the Vulnerable Software and Affected Versions Langflow affected versions not specified Description A flaw exists in Langflow that allows remote attackers to execute arbitrary code. This does not require authentication. The issue is due to insufficient validation of user-supplied input...

eq3btsmart (=0.0.0), fauxmo (>=0.1.0 <=0.3.6) +8 more potentially affected by CVE-2025-65713 via homeassistant (>=0.10.1 <=2025.7.4)

homeassistant PYPI version =0.10.1, =0.1.0, =1.1.5, =0.0.0, =2021.4.0, =0.4.11, =1.2.0, =0.1.1, =0.108.0, =0.109.0 Source cves: CVE-2025-65713 Source advisory: OSV:GHSA-PP3G-XMM4-5CW9...

formio-workers (>=1.0.0 <=1.5.0), ng2-formio (>=1.0.0-rc.24 <=1.0.0-rc.28) +1 more potentially affected by CVE-2025-67718 via formio (=1.91.13)

formio NPM version =1.91.13 is affected by a known vulnerability. The following packages have a transitive dependency on formio and may be impacted: - formio-workers =1.0.0, =1.0.0-rc.24, =1.0.0-rc.28 - v-formio-custom-component =0.1.1 Source cves: CVE-2025-67718 Source advisory:...

Directory Traversal

Gradio is vulnerable to Directory Traversal. The vulnerability is due to improper file path handling in the /customcomponent endpoint, allowing attackers to access source code from custom components by manipulating the file path...

SUSE CVE-2024-47166

Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves a one-level read path traversal in the /customcomponent endpoint. Attackers can exploit this flaw to access and leak source code from custom Gradio components by manipulating the file path in the...

PYSEC-2024-197

Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves a one-level read path traversal in the /customcomponent endpoint. Attackers can exploit this flaw to access and leak source code from custom Gradio components by manipulating the file path in the...

CVE-2024-47166 One-level read path traversal in `/custom_component` in Gradio

Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves a one-level read path traversal in the /customcomponent endpoint. Attackers can exploit this flaw to access and leak source code from custom Gradio components by manipulating the file path in the...

CVE-2024-47166 One-level read path traversal in `/custom_component` in Gradio

Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves a one-level read path traversal in the /customcomponent endpoint. Attackers can exploit this flaw to access and leak source code from custom Gradio components by manipulating the file path in the...

Directory Traversal

Overview gradio is a Python library for easily interacting with trained machine learning models Affected versions of this package are vulnerable to Directory Traversal via the /customcomponent endpoint. An attacker can access and leak source code from custom components by manipulating the file pa...