CVE Catalog

CVE-2026-12822

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.14%

4th percentile — higher than 4% of all known CVEs

Summary

In vulnerability CVE-2026-12822 in langflow-ai langflow up to version 1.9.3, a flaw was found in the Bundle URL Loader component. It allows code injection by a local attacker. The vendor did not respond to the disclosure.

Risk Assessment

A local attacker can inject malicious code, potentially leading to unauthorized command execution or data modification on the system.

Recommendation

It is recommended to immediately restrict access to the Bundle URL Loader component for unauthorized users and monitor for updates from the vendor.

Original NVD description (English source)

A vulnerability was identified in langflow-ai langflow up to 1.9.3. This affects an unknown function of the component Bundle URL Loader. The manipulation leads to code injection. The attack needs to be performed locally. The vendor was contacted early about this disclosure but did not respond in any way.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS