11 matches found
CVE-2026-25481
Langroid is a framework for building large-language-model-powered applications. Prior to version 0.59.32, there is a bypass to the fix for CVE-2025-46724. TableChatAgent can call pandaseval tool to evaluate the expression. There is a WAF in langroid/utils/pandasutils.py introduced to block code...
CVE-2026-25481 Langroid has WAF Bypass Leading to RCE in TableChatAgent
Langroid is a framework for building large-language-model-powered applications. Prior to version 0.59.32, there is a bypass to the fix for CVE-2025-46724. TableChatAgent can call pandaseval tool to evaluate the expression. There is a WAF in langroid/utils/pandasutils.py introduced to block code...
CVE-2026-25481 Langroid has WAF Bypass Leading to RCE in TableChatAgent
Langroid is a framework for building large-language-model-powered applications. Prior to version 0.59.32, there is a bypass to the fix for CVE-2025-46724. TableChatAgent can call pandaseval tool to evaluate the expression. There is a WAF in langroid/utils/pandasutils.py introduced to block code...
EUVD-2025-13410
Malicious code in bioql PyPI...
CVE-2025-46724
Langroid is a Python framework to build large language model LLM-powered applications. Prior to version 0.53.15, TableChatAgent uses pandas eval. If fed by untrusted user input, like the case of a public-facing LLM application, it may be vulnerable to code injection. Langroid 0.53.15 sanitizes...
CVE-2025-46725 Langroid has a Code Injection vulnerability in LanceDocChatAgent through vector_store
Langroid is a Python framework to build large language model LLM-powered applications. Prior to version 0.53.15, LanceDocChatAgent uses pandas eval through computefromdocs. As a result, an attacker may be able to make the agent run malicious commands through QueryPlan.dataframecalc compromising t...
CVE-2025-46725 Langroid has a Code Injection vulnerability in LanceDocChatAgent through vector_store
Langroid is a Python framework to build large language model LLM-powered applications. Prior to version 0.53.15, LanceDocChatAgent uses pandas eval through computefromdocs. As a result, an attacker may be able to make the agent run malicious commands through QueryPlan.dataframecalc compromising t...
CVE-2025-46724 Langroid has a Code Injection vulnerability in TableChatAgent
Langroid is a Python framework to build large language model LLM-powered applications. Prior to version 0.53.15, TableChatAgent uses pandas eval. If fed by untrusted user input, like the case of a public-facing LLM application, it may be vulnerable to code injection. Langroid 0.53.15 sanitizes...
CVE-2025-46726
Langroid is a framework for building large-language-model-powered applications. Prior to version 0.53.4, a LLM application leveraging XMLToolMessage class may be exposed to untrusted XML input that could result in DoS and/or exposing local files with sensitive information. Version 0.53.4 fixes th...
CVE-2025-46726 Langroid Vulnerable to XXE Injection via XMLToolMessage
Langroid is a framework for building large-language-model-powered applications. Prior to version 0.53.4, a LLM application leveraging XMLToolMessage class may be exposed to untrusted XML input that could result in DoS and/or exposing local files with sensitive information. Version 0.53.4 fixes th...
CVE-2025-46726
Langroid prior to 0.53.4 is vulnerable via the XMLToolMessage class to untrusted XML input, enabling DoS and potential disclosure of local files. The issue is mitigated by upgrading to version 0.53.4, which initializes the XML parser with safeguards against XXE, billionaire laughs, and external D...