Code Injection Vulnerability in langflow-ai's Bundle URL Loader Component
CVE-2026-12822

4.8MEDIUM

Key Information:

Vendor

Langflow-ai

Status
Langflow
Vendor
CVE Published:
21 June 2026

What is CVE-2026-12822?

A vulnerability has been identified in langflow-ai's langflow product, specifically within the Bundle URL Loader component. This flaw allows for local code injection, enabling an attacker to manipulate code execution in the affected versions. The vendor was notified about this security issue but has not provided any response or remediation as of yet. Users of affected versions are urged to assess their security posture and consider mitigating actions.

Affected Version(s)

langflow 1.9.0

langflow 1.9.1

langflow 1.9.2

References

https://vuldb.com/vuln/372612
vdb-entry
https://vuldb.com/vuln/372612/cti
signaturepermissions-required
https://vuldb.com/cve/CVE-2026-12822
third-party-advisory

CVSS V4

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

ST4R (VulDB User)
VulDB CNA Team
.