VYPR

Vendor CVEs

Langchain AI

All CVEs

61 total · sorted by risk
  • CVE-2025-46059CriJul 29, 2025
    risk 0.64cvss 9.8epss 0.01

    langchain-ai v0.3.51 was discovered to contain an indirect prompt injection vulnerability in the GmailToolkit component. This vulnerability allows attackers to execute arbitrary code and compromise the application via a crafted email message. NOTE: this is disputed by the…

  • CVE-2026-25879CriJun 1, 2026
    risk 0.57cvss 9.8epss 0.00

    Langroid is a framework for building large-language-model-powered applications. Prior to version 0.63.0, SQLChatAgent executes SQL produced by an LLM, which is influenceable by prompt injection. When configured with a database role that has privileges enabling code execution or…

  • CVE-2026-30617HigApr 15, 2026
    risk 0.56cvss 8.6epss 0.00

    LangChain-ChatChat 0.3.1 contains a remote code execution vulnerability in its MCP STDIO server configuration and execution handling. A remote attacker can access the publicly exposed MCP management interface and configure an MCP STDIO server with attacker-controlled commands…

  • CVE-2026-44843HigMay 26, 2026
    risk 0.53cvss 8.2epss 0.00

    LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.85 and 1.3.3, LangChain contains older runtime code paths that deserialize run inputs, run outputs, or other application-controlled payloads using overly broad object allowlists. These paths…

  • CVE-2025-65106HigNov 21, 2025
    risk 0.47cvss epss 0.00

    LangChain is a framework for building agents and LLM-powered applications. From versions 0.3.79 and prior and 1.0.0 to 1.0.6, a template injection vulnerability exists in LangChain's prompt template system that allows attackers to access Python object internals through template…

  • CVE-2026-48775MedJun 16, 2026
    risk 0.44cvss 6.8epss 0.00

    LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). In versions 4.1.0 and prior, the JsonPlusSerializer can reconstruct Python objects from JSON checkpoint payloads. Under conditions where…

  • CVE-2026-41481MedApr 24, 2026
    risk 0.42cvss 6.5epss 0.00

    LangChain is a framework for building agents and LLM-powered applications. Prior to langchain-text-splitters 1.1.2, HTMLHeaderTextSplitter.split_text_from_url() validated the initial URL using validate_safe_url() but then performed the fetch with requests.get() with redirects…

  • CVE-2026-34070HigMar 31, 2026
    risk 0.42cvss 7.5epss 0.01

    LangChain is a framework for building agents and LLM-powered applications. Prior to version 1.2.22, multiple functions in langchain_core.prompts.loading read files from paths embedded in deserialized config dicts without validating against directory traversal or absolute path…

  • CVE-2025-6985HigOct 6, 2025
    risk 0.42cvss 7.5epss 0.01

    The HTMLSectionSplitter class in langchain-text-splitters version 0.3.8 is vulnerable to XML External Entity (XXE) attacks due to unsafe XSLT parsing. This vulnerability arises because the class allows the use of arbitrary XSLT stylesheets, which are parsed using…

  • CVE-2025-6984HigSep 4, 2025
    risk 0.42cvss 7.5epss 0.02

    The langchain-ai/langchain project, specifically the EverNoteLoader component, is vulnerable to XML External Entity (XXE) attacks due to insecure XML parsing. The affected version is 0.3.63. The vulnerability arises from the use of etree.iterparse() without disabling external…

  • CVE-2025-64439HigNov 7, 2025
    risk 0.41cvss epss 0.01

    LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). In versions 2.1.2 and below, the JsonPlusSerializer (used as the default serialization protocol for all checkpointing) contains a Remote Code…

  • CVE-2025-64104HigOct 29, 2025
    risk 0.40cvss 7.3epss 0.00

    LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). Prior to 2.0.11, LangGraph's SQLite store implementation contains SQL injection vulnerabilities using direct string concatenation without…

  • CVE-2025-8709HigOct 26, 2025
    risk 0.40cvss 7.3epss 0.00

    A SQL injection vulnerability exists in the langchain-ai/langchain repository, specifically in the LangGraph's SQLite store implementation. The affected version is langgraph-checkpoint-sqlite 2.0.10. The vulnerability arises from improper handling of filter operators ($eq, $ne,…

  • CVE-2026-45134HigMay 27, 2026
    risk 0.39cvss 7.1epss 0.00

    LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to LangSmith SDK Python 0.8.0 and JS/TS 0.6.0, the LangSmith SDK's prompt pull methods (pull_prompt / pull_prompt_commit in Python, pullPrompt / pullPromptCommit in JS/TS) fetch and…

  • CVE-2026-28277MedMar 5, 2026
    risk 0.37cvss 6.8epss 0.05

    LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). In version 1.0.9 and prior, LangGraph checkpointers can load msgpack-encoded checkpoints that reconstruct Python objects during…

  • CVE-2026-27794MedFeb 25, 2026
    risk 0.36cvss 6.6epss 0.01

    LangGraph Checkpoint defines the base interface for LangGraph checkpointers. Prior to version 4.0.0, a Remote Code Execution vulnerability exists in LangGraph's caching layer when applications enable cache backends that inherit from `BaseCache` and opt nodes into caching via…

  • CVE-2026-27022MedFeb 20, 2026
    risk 0.36cvss 6.5epss 0.04

    @langchain/langgraph-checkpoint-redis is the Redis checkpoint and store implementation for LangGraph. A query injection vulnerability exists in the @langchain/langgraph-checkpoint-redis package's filter handling. The RedisSaver and ShallowRedisSaver classes construct RediSearch…

  • CVE-2026-40087MedApr 9, 2026
    risk 0.27cvss 5.3epss 0.00

    LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.84 and 1.2.28, LangChain's f-string prompt-template validation was incomplete in two respects. First, some prompt template classes accepted f-string templates and formatted them without…

  • CVE-2024-10940MedMar 20, 2025
    risk 0.27cvss 5.3epss 0.00

    A vulnerability in langchain-core versions >=0.1.17,<0.1.53, >=0.2.0,<0.2.43, and >=0.3.0,<0.3.15 allows unauthorized users to read arbitrary files from the host file system. The issue arises from the ability to create langchain_core.prompts.ImagePromptTemplate's (and by…

  • CVE-2026-41488LowApr 24, 2026
    risk 0.20cvss 3.1epss 0.00

    LangChain is a framework for building agents and LLM-powered applications. Prior to 1.1.14, langchain-openai's _url_to_size() helper (used by get_num_tokens_from_messages for image token counting) validated URLs for SSRF protection and then fetched them in a separate network…

  • CVE-2026-27795MedFeb 25, 2026
    risk 0.20cvss 4.1epss 0.00

    LangChain is a framework for building LLM-powered applications. Prior to version 1.1.8, a redirect-based Server-Side Request Forgery (SSRF) bypass exists in `RecursiveUrlLoader` in `@langchain/community`. The loader validates the initial URL but allows the underlying fetch to…

  • CVE-2026-55443Jun 22, 2026
    risk 0.00cvss epss 0.00

    LangChain is a framework for building agents and LLM-powered applications. Prior to 1.3.9, several LangChain components that resolve filesystem paths or expand search patterns do not consistently confine the resolved path to the intended root directory. Affected behaviors…

  • CVE-2026-48776Jun 16, 2026
    risk 0.00cvss epss 0.00

    LangGraph Python SDK is used to connect to running LangGraph API servers, manage assistants, threads and stream runs from Python applications. Versions 0.3.14 and prior have unsafe URL path construction through unsanitized caller-supplied identifier values used in HTTP request…

  • CVE-2026-48121Jun 12, 2026
    risk 0.00cvss epss 0.00

    ## Summary A NoSQL injection vulnerability existed in `MongoDBSaver` where checkpoint identifier fields from `config.configurable` were used in MongoDB queries without strict type enforcement. In vulnerable versions, attacker-controlled object payloads (for example MongoDB…

  • CVE-2026-25750Mar 4, 2026
    risk 0.00cvss epss 0.00

    Langchain Helm Charts are Helm charts for deploying Langchain applications on Kubernetes. Prior to langchain-ai/helm version 0.12.71, a URL parameter injection vulnerability existed in LangSmith Studio that could allow unauthorized access to user accounts through stolen…

  • CVE-2026-26019Feb 11, 2026
    risk 0.00cvss epss 0.00

    LangChain is a framework for building LLM-powered applications. Prior to 1.1.14, the RecursiveUrlLoader class in @langchain/community is a web crawler that recursively follows links from a starting URL. Its preventOutside option (enabled by default) is intended to restrict…

  • CVE-2026-26013Feb 10, 2026
    risk 0.00cvss epss 0.00

    LangChain is a framework for building agents and LLM-powered applications. Prior to 1.2.11, the ChatOpenAI.get_num_tokens_from_messages() method fetches arbitrary image_url values without validation when computing token counts for vision-enabled models. This allows attackers to…

  • CVE-2026-25481Feb 4, 2026
    risk 0.00cvss epss 0.01

    Langroid is a framework for building large-language-model-powered applications. Prior to version 0.59.32, there is a bypass to the fix for CVE-2025-46724. TableChatAgent can call pandas_eval tool to evaluate the expression. There is a WAF in langroid/utils/pandas_utils.py…

  • CVE-2024-58340Jan 12, 2026
    risk 0.00cvss epss 0.00

    LangChain versions up to and including 0.3.1 contain a regular expression denial-of-service (ReDoS) vulnerability in the MRKLOutputParser.parse() method (libs/langchain/langchain/agents/mrkl/output_parser.py). The parser applies a backtracking-prone regular expression when…

  • CVE-2025-68665Dec 23, 2025
    risk 0.00cvss epss 0.01

    LangChain is a framework for building LLM-powered applications. Prior to @langchain/core versions 0.3.80 and 1.1.8, and prior to langchain versions 0.3.37 and 1.2.3, a serialization injection vulnerability exists in LangChain JS's toJSON() method (and subsequently when…

  • CVE-2025-68664Dec 23, 2025
    risk 0.00cvss epss 0.14

    LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain's dumps() and dumpd() functions. The functions do not escape dictionaries with 'lc' keys when serializing…

  • CVE-2025-67644Dec 10, 2025
    risk 0.00cvss epss 0.02

    LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). Versions 3.0.0 and below are vulnerable to SQL injection through the checkpoint implementation. Checkpoint allows attackers to manipulate SQL…

  • CVE-2025-2828Jun 23, 2025
    risk 0.00cvss epss 0.14

    A Server-Side Request Forgery (SSRF) vulnerability exists in the RequestsToolkit component of the langchain-community package (specifically, langchain_community.agent_toolkits.openapi.toolkit.RequestsToolkit) in langchain-ai/langchain version 0.0.27. This vulnerability occurs…

  • CVE-2025-46725May 20, 2025
    risk 0.00cvss epss 0.00

    Langroid is a Python framework to build large language model (LLM)-powered applications. Prior to version 0.53.15, `LanceDocChatAgent` uses pandas eval() through `compute_from_docs()`. As a result, an attacker may be able to make the agent run malicious commands through…

  • CVE-2025-46724May 20, 2025
    risk 0.00cvss epss 0.01

    Langroid is a Python framework to build large language model (LLM)-powered applications. Prior to version 0.53.15, `TableChatAgent` uses `pandas eval()`. If fed by untrusted user input, like the case of a public-facing LLM application, it may be vulnerable to code injection.…

  • CVE-2025-46726May 5, 2025
    risk 0.00cvss epss 0.01

    Langroid is a framework for building large-language-model-powered applications. Prior to version 0.53.4, a LLM application leveraging `XMLToolMessage` class may be exposed to untrusted XML input that could result in DoS and/or exposing local files with sensitive information.…

  • CVE-2024-8309Oct 29, 2024
    risk 0.00cvss epss 0.14

    A vulnerability in the GraphCypherQAChain class of langchain-ai/langchain version 0.2.5 allows for SQL injection through prompt injection. This vulnerability can lead to unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in…

  • CVE-2024-7042Oct 29, 2024
    risk 0.00cvss epss 0.00

    A vulnerability in the GraphCypherQAChain class of langchain-ai/langchainjs versions 0.2.5 and all versions with this class allows for prompt injection, leading to SQL injection. This vulnerability permits unauthorized data manipulation, data exfiltration, denial of service…

  • CVE-2024-7774Oct 29, 2024
    risk 0.00cvss epss 0.01

    A path traversal vulnerability exists in the `getFullPath` method of langchain-ai/langchainjs version 0.2.5. This vulnerability allows attackers to save files anywhere in the filesystem, overwrite existing text files, read `.txt` files, and delete files. The vulnerability is…

  • CVE-2024-46946Sep 19, 2024
    risk 0.00cvss epss 0.01

    langchain_experimental (aka LangChain Experimental) 0.1.17 through 0.3.0 for LangChain allows attackers to execute arbitrary code through sympy.sympify (which uses eval) in LLMSymbolicMathChain. LLMSymbolicMathChain was introduced in fcccde406dd9e9b05fc9babcbeb9ff527b0ec0c6…

  • CVE-2024-5998Sep 17, 2024
    risk 0.00cvss epss 0.00

    A vulnerability in the FAISS.deserialize_from_bytes function of langchain-ai/langchain allows for pickle deserialization of untrusted data. This can lead to the execution of arbitrary commands via the os.system function. The issue affects the latest version of the product.

  • CVE-2024-21513Jul 15, 2024
    risk 0.00cvss epss 0.02

    Versions of the package langchain-experimental from 0.0.15 and before 0.0.21 are vulnerable to Arbitrary Code Execution when retrieving values from the database, the code will attempt to call 'eval' on all values. An attacker can exploit this vulnerability and execute arbitrary…

  • CVE-2024-2965Jun 6, 2024
    risk 0.00cvss epss 0.00

    A Denial-of-Service (DoS) vulnerability exists in the `SitemapLoader` class of the `langchain-ai/langchain` repository, affecting all versions. The `parse_sitemap` method, responsible for parsing sitemaps and extracting URLs, lacks a mechanism to prevent infinite recursion when…

  • CVE-2024-3095Jun 6, 2024
    risk 0.00cvss epss 0.01

    A Server-Side Request Forgery (SSRF) vulnerability exists in the Web Research Retriever component of langchain-ai/langchain version 0.1.5. The vulnerability arises because the Web Research Retriever does not restrict requests to remote internet addresses, allowing it to reach…

  • CVE-2024-3571Apr 16, 2024
    risk 0.00cvss epss 0.02

    langchain-ai/langchain is vulnerable to path traversal due to improper limitation of a pathname to a restricted directory ('Path Traversal') in its LocalFileStore functionality. An attacker can leverage this vulnerability to read or write files anywhere on the filesystem,…

  • CVE-2024-1455Mar 26, 2024
    risk 0.00cvss epss 0.01

    A vulnerability in the langchain-ai/langchain repository allows for a Billion Laughs Attack, a type of XML External Entity (XXE) exploitation. By nesting multiple layers of entities within an XML document, an attacker can cause the XML parser to consume excessive CPU and memory…

  • CVE-2024-28088Mar 3, 2024
    risk 0.00cvss epss 0.02

    LangChain through 0.1.10 allows ../ directory traversal by an actor who is able to control the final part of the path parameter in a load_chain call. This bypasses the intended behavior of loading configurations only from the hwchase17/langchain-hub GitHub repository. The…

  • CVE-2024-2057Mar 1, 2024
    risk 0.00cvss epss 0.01

    A vulnerability was found in LangChain langchain_community 0.0.26. It has been classified as critical. Affected is the function load_local in the library libs/community/langchain_community/retrievers/tfidf.py of the component TFIDFRetriever. The manipulation leads to server-side…

  • CVE-2024-0243Feb 24, 2024
    risk 0.00cvss epss 0.01

    With the following crawler configuration: ```python from bs4 import BeautifulSoup as Soup url = "https://example.com" loader = RecursiveUrlLoader( url=url, max_depth=2, extractor=lambda x: Soup(x, "html.parser").text ) docs = loader.load() ``` An attacker in control of…

  • CVE-2023-32786Oct 20, 2023
    risk 0.00cvss epss 0.01

    In Langchain through 0.0.155, prompt injection allows an attacker to force the service to retrieve data from an arbitrary URL, essentially providing SSRF and potentially injecting content into downstream tasks.

Page 1 of 2