8.8
CVE-2026-6543 - Authenticated Remote Code Execution Vulnerability in Langflow Code Validation Endpoint
IBM Langflow Desktop 1.0.0 through 1.8.4 Langflow allows an attacker to execute arbitrary commands with the privileges of the process running Langflow. This allows reading sensitive environment variables (API keys, DB credentials), modifying files, or launching further attacks on the internal netwoβ¦
6.5
CVE-2026-3345 - Path Traversal and Arbitrary File Write Vulnerability in IBM Langflow Desktop API v2 File Upload Enβ¦
IBM Langflow Desktop <=1.8.4 Langflow could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.
6.4
CVE-2026-3346 - Stored Cross-Site Scripting (XSS) in Langflow Markdown Rendering via rehypeRaw
IBM Langflow Desktop 1.6.0 through 1.8.4 Lanflow is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted sesβ¦
6.5
CVE-2026-3340 - Server-Side Request Forgery (SSRF) in Langflow URL Component
IBM Langflow Desktop 1.0.0 through 1.8.4 IBM Langflow is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
6.5
CVE-2026-4502 - Arbitrary File Write and Remote Code Execution Vulnerability in Langflow v2 API
IBM Langflow Desktop 1.2.0 through 1.8.4 Langflow could allow an authenticated attacker to traverse directories on the system. An attacker could sendΒ a specially crafted URL request containing "dot dot" sequences (/../) to write arbitrary files on the system.
7.5
CVE-2026-4503 - Unauthenticated Insecure Direct Object Reference (IDOR) Vulnerability in Langflow Desktop Image Dowβ¦
IBM Langflow Desktop 1.0.0 through 1.8.4 Langflow could allow an unauthenticated user to view other users' images due to an indirect object reference through a user-controlled key.
5.1
CVE-2026-7501 - LinkStackOrg LinkStack UserController.php editPage cross site scripting
A weakness has been identified in LinkStackOrg LinkStack up to 4.8.6. Impacted is the function editPage of the file app/Http/Controllers/UserController.php. Executing a manipulation of the argument pageDescription can lead to cross site scripting. It is possible to launch the attack remotely. The eβ¦
6.3
CVE-2026-41263 - Traefik: BasicAuth middleware: timing side-channel vulnerability
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a timing side-channel vulnerability in Traefik's BasicAuth middleware that allows an attacker to enumerate valid usernames through response-time differences. The variable intended to holdβ¦
7.8
CVE-2026-40912 - Traefik: StripPrefixRegex auth bypass via Path/RawPath desync
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traefik's StripPrefixRegex middleware when used in combination with ForwardAuth, BasicAuth, or DigestAuth. The middleware matches thβ¦
4.6
CVE-2026-6539 - Notepad++ 8.9.3 Format String Injection via nativeLang.xml
Notepad++ 8.9.3 contains a format string injection vulnerability in the Find Results panel handler that allows attackers to cause denial of service and information disclosure by crafting a malicious nativeLang.xml language pack file. Attackers can distribute a poisoned language pack through communiβ¦