These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2025-34291 is a Langflow origin validation error that CISA added to the Known Exploited Vulnerabilities catalog on 2026-05-21. Because it is in KEV, defenders should treat it as an actively exploited issue and prioritize remediation before the 2026-06-04 due date. The supplied corpus does not include deeper technical detail or a CVSS score, so the safest approach is to follow vendor guidance, verify w [truncated]
CVE-2026-6543 is a high-severity command execution issue in Langflow Desktop affecting versions 1.0.0 through 1.8.4. An attacker with low privileges can run arbitrary commands as the Langflow process, which may expose environment secrets such as API keys and database credentials, modify files, or support follow-on attacks inside the network. NVD classifies the weakness as CWE-94 and rates it 8.8 (AV:N/AC: [truncated]
CVE-2026-3345 is a directory traversal vulnerability in IBM Langflow Desktop versions 1.8.4 and earlier. A remote attacker can send a specially crafted URL containing "dot dot" path sequences (/../) to access files outside the intended directory scope. The issue is rated CVSS 6.5 (Medium) and primarily impacts confidentiality.
CVE-2026-4503 is a high-severity access-control flaw in IBM Langflow Desktop that can let an unauthenticated user view images belonging to other users. The issue is tied to an indirect object reference through a user-controlled key, which aligns with CWE-639 and an NVD CVSS 3.1 score of 7.5. Affected versions are 1.0.0 through 1.8.4.
CVE-2026-4502 is an authenticated directory traversal issue in IBM Langflow Desktop. According to the supplied NVD and IBM PSIRT references, specially crafted URL requests containing "../" sequences can escape intended paths and write arbitrary files on the system. The vulnerable range in the supplied record is Langflow Desktop 1.2.0 through 1.8.4.
CVE-2026-3346 is a stored cross-site scripting issue affecting IBM Langflow Desktop 1.6.0 through 1.8.4. According to the NVD record, an authenticated user can embed arbitrary JavaScript in the Web UI, which can alter application behavior inside a trusted session and may expose credentials or other sensitive data associated with that session. The CVE was published on 2026-04-30 and updated on 2026-05-11.
CVE-2026-3340 is a server-side request forgery (SSRF) issue in IBM Langflow Desktop affecting versions 1.0.0 through 1.8.4. According to the vendor and NVD, an authenticated attacker may be able to make unauthorized requests from the system, which could support network enumeration or other follow-on attacks.
CVE-2026-34046 is a high-severity access-control vulnerability in Langflow. Before version 1.5.1, the `_read_flow` helper could return a flow by UUID without enforcing ownership when authentication was enabled, allowing an authenticated user to access other users' flows. The reported impact includes reading embedded plaintext API keys, modifying another user's AI agents, and deleting other users' flows. T [truncated]
CVE-2026-33017 is a Langflow code injection vulnerability that CISA added to the Known Exploited Vulnerabilities catalog on 2026-03-25. That KEV listing means CISA considers the issue actively exploited and recommends prompt mitigation. The supplied corpus does not include affected versions or a technical breakdown, so defenders should treat this as an urgent exposure review item for any Langflow deployment.
CVE-2025-3248 is a missing authentication vulnerability in Langflow that CISA added to the Known Exploited Vulnerabilities catalog on 2025-05-05. Because it is on KEV, organizations should treat affected Langflow deployments as urgent remediation candidates and act before the 2025-05-26 due date.
