Lucene search
K

764 matches found

IBM Security Bulletins
IBM Security Bulletins
added 2026/06/12 7:0 p.m.6 views

Security Bulletin: upload filename directly from the multipart Content-Disposition header without sanitization

Summary Langflow OSS 1.2.0 - 1.8.4 are affected by a critical arbitrary file write vulnerability in the files endpoint due to improper handling of uploaded filenames. The application extracts the filename directly from the multipart Content-Disposition header without sanitization and uses unsafe...

6.5CVSS5.5AI score0.00275EPSS
Exploits0Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2026/06/12 6:59 p.m.8 views

Security Bulletin: Unauthenticated Insecure Direct Object Reference (IDOR) Vulnerability in Langflow Desktop Image Download Endpoint

Summary IBM Langflow Desktop contains a vulnerability in its image retrieval functionality where the GET /api/v1/files/images/flowid/filename endpoint fails to enforce authentication and ownership validation, allowing any unauthenticated user to access image files by supplying a valid flow...

7.5CVSS5.2AI score0.0034EPSS
Exploits0Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2026/06/12 6:58 p.m.9 views

Security Bulletin: Langflow OSS Unauthenticated IDOR on Image Downloads

Summary Langflow OSS versions 1.0.0 - 1.8.4 are affected by an insecure direct object reference vulnerability in the image download endpoint due to missing authentication and authorization checks. The images endpoint serves image files without verifying user identity or ownership. An user who get...

7.5CVSS5.3AI score0.0034EPSS
Exploits0Affected Software1
NVD
NVD
added 2026/06/11 4:16 p.m.15 views

CVE-2026-7787

IBM Langflow OSS 1.0.0 through 1.9.1 could allow an authenticated user to read or modify sensitive information by bypassing authentication using insecure direct object references...

8.1CVSS0.00248EPSS
Exploits0References1
NVD
NVD
added 2026/06/11 4:16 p.m.14 views

CVE-2026-3341

IBM Langflow Desktop 1.0.0 through 1.9.2 IBM Langflow is vulnerable to server-side request forgery SSRF. This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks...

5.4CVSS0.00138EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/11 2:47 p.m.10 views

EUVD-2026-36254

IBM Langflow Desktop 1.0.0 through 1.9.2 IBM Langflow is vulnerable to server-side request forgery SSRF. This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks...

5.4CVSS5.5AI score0.00138EPSS
Exploits0References1
CVE
CVE
added 2026/06/11 2:47 p.m.36 views

CVE-2026-3341

CVE-2026-3341 affects IBM Langflow Desktop 1.0.0–1.9.2. The root cause is a TOCTOU DNS rebinding flaw in SSRF protection: validate_url_for_ssrf() uses socket.getaddrinfo(), while httpx.AsyncClient() conducts a separate DNS lookup during connection, allowing an attacker-controlled DNS domain with ...

5.4CVSS5.5AI score0.00138EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/06/11 2:47 p.m.11 views

CVE-2026-3341 IBM Langflow Desktop 1.0.0 - 1.9.2 DNS Rebinding Bypasses SSRF Protection Allowing Access to Internal Services

IBM Langflow Desktop 1.0.0 through 1.9.2 IBM Langflow is vulnerable to server-side request forgery SSRF. This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks...

5.4CVSS5.5AI score0.00138EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/11 2:47 p.m.30 views

CVE-2026-3341 IBM Langflow Desktop 1.0.0 - 1.9.2 DNS Rebinding Bypasses SSRF Protection Allowing Access to Internal Services

IBM Langflow Desktop 1.0.0 through 1.9.2 IBM Langflow is vulnerable to server-side request forgery SSRF. This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks...

5.4CVSS0.00138EPSS
Exploits0References1
CVE
CVE
added 2026/06/11 2:41 p.m.30 views

CVE-2026-7787

CVE-2026-7787 affects Langflow OSS versions 1.0.0–1.9.1. A session ID namespace bypass in the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows unauthenticated attackers to read or modify chat history by overriding the session_id used during flow execution when a PUBLIC flow includes a...

8.1CVSS5.4AI score0.00248EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/06/11 2:41 p.m.9 views

CVE-2026-7787 Unauthenticated Session History Access via Public Flow Execution

IBM Langflow OSS 1.0.0 through 1.9.1 could allow an authenticated user to read or modify sensitive information by bypassing authentication using insecure direct object references...

7.5CVSS5.5AI score0.00248EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/11 2:41 p.m.12 views

EUVD-2026-36251

IBM Langflow OSS 1.0.0 through 1.9.1 could allow an authenticated user to read or modify sensitive information by bypassing authentication using insecure direct object references...

7.5CVSS5.4AI score0.00248EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/11 2:41 p.m.35 views

CVE-2026-7787 Unauthenticated Session History Access via Public Flow Execution

IBM Langflow OSS 1.0.0 through 1.9.1 could allow an authenticated user to read or modify sensitive information by bypassing authentication using insecure direct object references...

7.5CVSS0.00248EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/11 12:0 a.m.16 views

PT-2026-48674

IBM Langflow OSS 1.0.0 through 1.9.1 could allow an authenticated user to read or modify sensitive information by bypassing authentication using insecure direct object references...

7.5CVSS5.4AI score0.00248EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/06/11 12:0 a.m.23 views

IBM Langflow 安全漏洞

IBM Langflow is a visual process orchestration tool developed by the American multinational company International Business Machines IBM. Versions 1.0.0 to 1.9.1 of IBM Langflow contain security vulnerabilities. These vulnerabilities stem from insecure direct object references, which could allow...

8.1CVSS5.4AI score0.00248EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/06/11 12:0 a.m.17 views

IBM Langflow Desktop 代码问题漏洞

IBM Langflow Desktop is a desktop application for AI process orchestration developed by IBM. Versions 1.0.0 to 1.9.2 of IBM Langflow Desktop have code vulnerabilities. These vulnerabilities are due to susceptibility to server-side request forgeing attacks, which may allow authenticated attackers ...

5.4CVSS5.5AI score0.00138EPSS
Exploits0References1
GithubExploit
GithubExploit
added 2026/06/10 7:18 p.m.139 views

Exploit for CVE-2026-5027

CV...

8.8CVSS5.7AI score0.02104EPSS
Exploits4
The Hacker News
The Hacker News
added 2026/06/10 3:0 p.m.17 views

Langflow Vulnerability CVE-2026-5027 Exploited for Unauthenticated RCE

A high-severity security flaw in Langflow, an open-source low-code platform to build artificial intelligence AI applications, has come under active exploitation in the wild, according to findings from VulnCheck. The vulnerability in question is CVE-2026-5027 CVSS score: 8.8, a case of path...

8.8CVSS6.1AI score0.02104EPSS
Exploits4
IBM Security Bulletins
IBM Security Bulletins
added 2026/06/08 6:47 p.m.10 views

Security Bulletin: Unauthenticated Session History Access via Public Flow Execution

Summary A session ID namespace bypass vulnerability existed in Langflow OSS' POST /api/v1/buildpublictmp/flowid/flow endpoint that allowed unauthenticated attackers to access chat history from other users' sessions. The endpoint accepted an inputs.session parameter that could override the session...

8.1CVSS5.5AI score0.00248EPSS
Exploits0Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2026/06/08 6:45 p.m.10 views

Security Bulletin: Langflow OSS affected by vulnerabilies in Axios versions prior to 1.15.0

Summary Langflow OSS affected by vulnerabilies in Axios versions prior to 1.15.0 Vulnerability Details CVEID:CVE-2026-40175 DESCRIPTION: Axios is a promise based HTTP client for the browser and Node.js. Versions prior to 1.15.0 and 0.3.1 are vulnerable to a specific gadget-style attack chain in...

9CVSS5.4AI score0.01815EPSS
Exploits5Affected Software1
Rows per page
Query Builder