Code Execution Vulnerability in Langroid Framework
CVE-2026-25481

9.4CRITICAL

Key Information:

Vendor

Langroid

Status
Langroid
Vendor
CVE Published:
4 February 2026

What is CVE-2026-25481?

The Langroid framework, prior to version 0.59.32, contains a vulnerability that allows potential attackers to bypass security measures implemented in response to a previous vulnerability. The issue lies within the TableChatAgent, which can leverage the pandas_eval tool to evaluate expressions. Although a Web Application Firewall (WAF) was introduced to mitigate code injection risks, it can be circumvented if the _literal_ok() function fails to raise an UnsafeCommandError for invalid inputs. This flaw, combined with unrestricted access to dangerous dunder attributes, enables attackers to chain methods that are meant to be whitelisted, ultimately leading to the exposure of the eval builtin and the execution of arbitrary code. Users are encouraged to update to version 0.59.32 or later to address this security concern.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

langroid < 0.59.32

References

https://github.com/langroid/langroid/security/advisories/...
x_refsource_CONFIRM
https://github.com/langroid/langroid/security/advisories/...
x_refsource_MISC
https://github.com/langroid/langroid/commit/30abbc1a854de...
x_refsource_MISC

CVSS V4

Score:
9.4
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.