apk package
chainguard/py3.11-langchain
pkg:apk/chainguard/py3.11-langchain
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-44843 | Hig | 8.2 | < 1.3.4-r0 | 1.3.4-r0 | May 26, 2026 | LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.85 and 1.3.3, LangChain contains older runtime code paths that deserialize run inputs, run outputs, or other application-controlled payloads using overly broad object allowlists. These paths m | |
| CVE-2026-40087 | Med | 5.3 | < 1.3.0-r0 | 1.3.0-r0 | Apr 9, 2026 | LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.84 and 1.2.28, LangChain's f-string prompt-template validation was incomplete in two respects. First, some prompt template classes accepted f-string templates and formatted them without enforc | |
| CVE-2026-34070 | Hig | 7.5 | < 0 | 0 | Mar 31, 2026 | LangChain is a framework for building agents and LLM-powered applications. Prior to version 1.2.22, multiple functions in langchain_core.prompts.loading read files from paths embedded in deserialized config dicts without validating against directory traversal or absolute path inj | |
| CVE-2025-68664 | — | < 1.2.6-r0 | 1.2.6-r0 | Dec 23, 2025 | LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain's dumps() and dumpd() functions. The functions do not escape dictionaries with 'lc' keys when serializing fre |
- affected < 1.3.4-r0fixed 1.3.4-r0
LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.85 and 1.3.3, LangChain contains older runtime code paths that deserialize run inputs, run outputs, or other application-controlled payloads using overly broad object allowlists. These paths m
- affected < 1.3.0-r0fixed 1.3.0-r0
LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.84 and 1.2.28, LangChain's f-string prompt-template validation was incomplete in two respects. First, some prompt template classes accepted f-string templates and formatted them without enforc
- affected < 0fixed 0
LangChain is a framework for building agents and LLM-powered applications. Prior to version 1.2.22, multiple functions in langchain_core.prompts.loading read files from paths embedded in deserialized config dicts without validating against directory traversal or absolute path inj
- CVE-2025-68664Dec 23, 2025affected < 1.2.6-r0fixed 1.2.6-r0
LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain's dumps() and dumpd() functions. The functions do not escape dictionaries with 'lc' keys when serializing fre