Description
A vulnerability was identified in langflow-ai langflow up to 1.9.3. This affects an unknown function of the component Bundle URL Loader. The manipulation leads to code injection. The attack needs to be performed locally. The vendor was contacted early about this disclosure but did not respond in any way.
Severity (CVSS)
| Base score | 4.8 |
|---|---|
| Severity | Medium |
| Version | CVSS 4.0 |
| Vector | CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P |
| Provided by | CNA |
Weaknesses
- CWE-94 — Code Injection
- CWE-74 — Injection
Affected products
| Vendor | Product | Versions |
|---|---|---|
| langflow-ai | langflow | 1.9.0; 1.9.1; 1.9.2; 1.9.3 |
References
- https://vuldb.com/vuln/372612 (vdb-entry)
- https://vuldb.com/vuln/372612/cti (signature permissions-required)
- https://vuldb.com/cve/CVE-2026-12822 (third-party-advisory)
- https://vuldb.com/submit/837582 (third-party-advisory)
- https://github.com/dxz0069/softwareoverflow/blob/main/langflow_bundle_url_custom_component_startup_rce_vulndb.md (related)
Generated from the official CVE List on 22 Jun 2026 14:43 UTC.