These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
The LangSmith Client SDKs provide software development kits for interacting with the LangSmith platform. Prior to version 0.8.18, an attacker who can send an HTTP request to a server running the LangSmith SDK's TracingMiddleware can cause that server to read an arbitrary file from its local filesystem and upload the contents to LangSmith as a trace attachment. Depending on how the distributed trace system [truncated]
CVE-2026-55443 is a medium-severity vulnerability in LangChain, a framework for building agents and LLM-powered applications. The vulnerability allows for path traversal attacks, potentially leading to disclosure of files outside the intended boundary. The issue was fixed in version 1.3.9. LangChain components that resolve filesystem paths or expand search patterns did not consistently confine the resolve [truncated]
The LangGraph Python SDK, used to connect to LangGraph API servers and manage assistants, threads, and stream runs, has a vulnerability in versions 0.3.14 and prior. The issue arises from unsafe URL path construction through unsanitized caller-supplied identifier values used in HTTP request paths for resource operations. This could lead to unintended access, modification, or deletion of resources beyond t [truncated]
CVE-2026-48775 is a defense-in-depth issue in LangGraph SQLite Checkpoint's JsonPlusSerializer. In versions 4.1.0 and prior, the JsonPlusSerializer can reconstruct Python objects from JSON checkpoint payloads. Under conditions where someone could modify checkpoint bytes at rest in the backing store, the deserialization path could reconstruct objects beyond what the application expects, which could in turn [truncated]
LangSmith Client SDKs prior to Python 0.8.0 and JS/TS 0.6.0 fail to distinguish between prompts owned by the caller's organization and public prompts owned by external parties when using prompt pull methods (pull_prompt/pull_prompt_commit in Python; pullPrompt/pullPromptCommit in JS/TS). These methods fetch and deserialize prompt manifests from the LangSmith Hub, which may contain serialized LangChain obj [truncated]
LangChain versions prior to 0.3.85 and 1.3.3 contain overly permissive deserialization paths that allow instantiation of trusted LangChain-serializable classes with attacker-controlled constructor arguments. The vulnerability stems from runtime code paths that deserialize run inputs, run outputs, or application-controlled payloads using broad object allowlists, including configurations where `allowed_obje [truncated]
CVE-2026-41481 is a Server-Side Request Forgery (SSRF) vulnerability in LangChain Text Splitters prior to version 1.1.2. The vulnerability arises from the `HTMLHeaderTextSplitter.split_text_from_url()` function, which validates the initial URL but then performs the fetch with redirects enabled. This allows an attacker-controlled server to redirect to internal, localhost, or cloud metadata endpoints, poten [truncated]
LangSmith Client SDKs for JavaScript (prior to 0.5.19) and Python (prior to 0.7.31) fail to apply output redaction controls to streaming token events. The hideOutputs (JS) and hide_outputs (Python) settings only process inputs and outputs fields on a run object, not the events array where streaming chunks are recorded as new_token events. This causes sensitive LLM output to leak via run events even when r [truncated]
## Summary CVE-2026-40190 is a prototype pollution vulnerability in the LangSmith JavaScript/TypeScript SDK (langsmith) prior to version 0.5.18. The SDK's internally vendored lodash `set()` utility contains an incomplete fix in its `baseAssignValue()` function, which only blocks the `__proto__` key but fails to prevent traversal via `constructor.prototype`. An attacker who controls keys in data processed [truncated]
LangChain Core versions prior to 1.2.22 contain a path traversal vulnerability in prompt loading functions. Multiple functions in `langchain_core.prompts.loading` read files from paths embedded in deserialized configuration dictionaries without validating against directory traversal sequences or absolute path injection. When an application passes user-influenced prompt configurations to `load_prompt()` or [truncated]