VYPR

PyPI package

langchain-community

pkg:pypi/langchain-community

Vulnerabilities (6)

  • CVE-2025-6984HigSep 4, 2025
    affected < 0.3.27fixed 0.3.27

    The langchain-ai/langchain project, specifically the EverNoteLoader component, is vulnerable to XML External Entity (XXE) attacks due to insecure XML parsing. The affected version is 0.3.63. The vulnerability arises from the use of etree.iterparse() without disabling external ent

  • CVE-2025-2828Jun 23, 2025
    affected < 0.0.28fixed 0.0.28

    A Server-Side Request Forgery (SSRF) vulnerability exists in the RequestsToolkit component of the langchain-community package (specifically, langchain_community.agent_toolkits.openapi.toolkit.RequestsToolkit) in langchain-ai/langchain version 0.0.27. This vulnerability occurs bec

  • CVE-2024-8309Oct 29, 2024
    affected >= 0.2.0, < 0.2.19fixed 0.2.19

    A vulnerability in the GraphCypherQAChain class of langchain-ai/langchain version 0.2.5 allows for SQL injection through prompt injection. This vulnerability can lead to unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in m

  • CVE-2024-5998Sep 17, 2024
    affected < 0.2.4fixed 0.2.4

    A vulnerability in the FAISS.deserialize_from_bytes function of langchain-ai/langchain allows for pickle deserialization of untrusted data. This can lead to the execution of arbitrary commands via the os.system function. The issue affects the latest version of the product.

  • CVE-2024-2965Jun 6, 2024
    affected < 0.2.5fixed 0.2.5

    A Denial-of-Service (DoS) vulnerability exists in the `SitemapLoader` class of the `langchain-ai/langchain` repository, affecting all versions. The `parse_sitemap` method, responsible for parsing sitemaps and extracting URLs, lacks a mechanism to prevent infinite recursion when a

  • CVE-2024-3095Jun 6, 2024
    affected < 0.2.9fixed 0.2.9

    A Server-Side Request Forgery (SSRF) vulnerability exists in the Web Research Retriever component of langchain-ai/langchain version 0.1.5. The vulnerability arises because the Web Research Retriever does not restrict requests to remote internet addresses, allowing it to reach loc