5 min read
News Brief A path traversal vulnerability in Langflow's file API allows unauthenticated attackers to overwrite arbitrary files and chain to RCE. Active exploitation confirmed in June 2026. Fix is in version 1.9.0.
A path traversal vulnerability in Langflow's file API allows unauthenticated attackers to overwrite arbitrary files and chain to RCE. Active exploitation confirmed in June 2026. Fix is in version 1.9.0.
CISA added CVE-2026-42271 to KEV after Horizon3.ai chained the LiteLLM MCP command injection flaw with a Starlette auth bypass for unauthenticated RCE. Federal deadline: June 22.