criticalSecurity flaw UnknownPublish anonymously

Langflow Unauthenticated RCE (CVE-2026-33017)

by Publish anonymously · 2 days agoviews 0en

PII protected

Personal information such as emails, phone numbers, IDs and access tokens are automatically masked before publication.

Follow-up code injection (CVSS 9.3) to CVE-2025-3248; added to CISA KEV catalog. Exploitation began within 20 hours of advisory publication; .env and .db harvesting within 24 hours. Previously, CVE-2025-3248 exec()'d user-submitted Python without authentication, actively exploited to deploy the Flodric botnet.

External Source Attribution

This incident was imported from an external open database. Licensed under CC BY 4.0 or public domain. Original source details below.

Source: AI Incident Database (Open/Stanford License)

Awaiting official response

The official response from the AI provider for this incident.

Community Discussion

0

No comments yet. Start the discussion!

You must sign in to join the discussion.