CVE-2026-12822
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk4th percentile — higher than 4% of all known CVEs
Summary
In vulnerability CVE-2026-12822 in langflow-ai langflow up to version 1.9.3, a flaw was found in the Bundle URL Loader component. It allows code injection by a local attacker. The vendor did not respond to the disclosure.
Risk Assessment
A local attacker can inject malicious code, potentially leading to unauthorized command execution or data modification on the system.
Recommendation
It is recommended to immediately restrict access to the Bundle URL Loader component for unauthorized users and monitor for updates from the vendor.
Original NVD description (English source)
A vulnerability was identified in langflow-ai langflow up to 1.9.3. This affects an unknown function of the component Bundle URL Loader. The manipulation leads to code injection. The attack needs to be performed locally. The vendor was contacted early about this disclosure but did not respond in any way.

