VYPR
Unrated severityNVD Advisory· Published Mar 27, 2026· Updated Mar 27, 2026

Langflow - Path Traversal Arbitrary File Write via upload_user_file

CVE-2026-5027

Description

The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences ('../').

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

1

Patches

Vulnerability mechanics

References

1

News mentions

5