langflow-ai langflow Bundle URL Loader code injection_CVE-2026-12822

4.8 / 10

MEDIUM

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

Description

A vulnerability was identified in langflow-ai langflow up to 1.9.3. This affects an unknown function of the component Bundle URL Loader. The manipulation leads to code injection. The attack needs to be performed locally. The vendor was contacted early about this disclosure but did not respond in any way.

Basic Information

ID CVE-2026-12822

Source VulDB

Published Jun 21, 2026 at 23:30

Affected Product

Vendor langflow-ai

Product langflow

Version 1.9.0

Affected Versions langflow-ai langflow 1.9.0
langflow-ai langflow 1.9.1
langflow-ai langflow 1.9.2
langflow-ai langflow 1.9.3

CWE Classification

CWE-94 CWE-74

References

{
    "lastseen": "",
    "description": "A vulnerability was identified in langflow-ai langflow up to 1.9.3. This affects an unknown function of the component Bundle URL Loader. The manipulation leads to code injection. The attack needs to be performed locally. The vendor was contacted early about this disclosure but did not respond in any way.",
    "published": "2026-06-21T23:30:09.211Z",
    "modified": "2026-06-21T23:30:09.211Z",
    "type": "cve",
    "title": "langflow-ai langflow Bundle URL Loader code injection",
    "source": "VulDB",
    "references": "https://vuldb.com/vuln/372612\nhttps://vuldb.com/vuln/372612/cti\nhttps://vuldb.com/cve/CVE-2026-12822\nhttps://vuldb.com/submit/837582\nhttps://github.com/dxz0069/softwareoverflow/blob/main/langflow_bundle_url_custom_component_startup_rce_vulndb.md",
    "id": "CVE-2026-12822",
    "bulletinFamily": "",
    "cwe": [
        "CWE-94",
        "CWE-74"
    ],
    "cvelist": null,
    "sourceData": "langflow-ai langflow 1.9.0\nlangflow-ai langflow 1.9.1\nlangflow-ai langflow 1.9.2\nlangflow-ai langflow 1.9.3",
    "sourceHref": "",
    "cvss": {
        "score": 4.8,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "langflow",
    "version": "1.9.0",
    "vendor": "langflow-ai",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}