CVE-2026-3357
published 2026-04-08CVE-2026-3357: IBM Langflow Desktop 1.6.0 through 1.8.2 Langflow could allow an authenticated user to execute arbitrary code on the system, caused by an insecure default…
PriorityP259high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.47%
36.9th percentile
IBM Langflow Desktop 1.6.0 through 1.8.2 Langflow could allow an authenticated user to execute arbitrary code on the system, caused by an insecure default setting which permits the deserialization of untrusted data in the FAISS component.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | httpd | — | — |
| ibm | langflow_desktop | 1.6.0 – 1.8.2 | — |
| langflow | langflow | >= 1.6.0 < 1.8.3 | 1.8.3 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_apache5.4LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
IBM Langflow Desktop up to 1.8.2 deserialization (CNNVD-202604-1894)
vuldb·2026-04-10·CVSS 8.8
CVE-2026-3357 [HIGH] IBM Langflow Desktop up to 1.8.2 deserialization (CNNVD-202604-1894)
A vulnerability, which was classified as critical, was found in IBM Langflow Desktop up to 1.8.2. The affected element is an unknown function of the component Langflow. Executing a manipulation can lead to deserialization.
This vulnerability is handled as CVE-2026-3357. The attack can be executed remotely. There is not any exploit available.
You should upgrade the affected component.
GHSA
GHSA-g2wf-gm3w-w9x3: IBM Langflow Desktop 1
ghsa_unreviewed·2026-04-08
CVE-2026-3357 [HIGH] CWE-502 GHSA-g2wf-gm3w-w9x3: IBM Langflow Desktop 1
IBM Langflow Desktop 1.6.0 through 1.8.2 Langflow could allow an authenticated user to execute arbitrary code on the system, caused by an insecure default setting which permits the deserialization of untrusted data in the FAISS component.
Apache
Apache httpd: CVE-2005-3357
vendor_apache·CVSS 5.4
CVE-2005-3357 [LOW] Apache httpd: CVE-2005-3357
Apache httpd: CVE-2005-3357
A NULL pointer dereference flaw in mod_ssl was discovered affecting server configurations where an SSL virtual host is configured with access control and a custom 400 error document. A remote attacker could send a carefully crafted request to trigger this issue which would lead to a crash. This crash would only be a denial of service if using the worker MPM. Reported to security team 2005-12-05 Issue public 2005-12-12 Update 2.2.2 released 2006-05-01 Update 2.0.58 released 2006-05-01 Affects 2.2.0, 2.0.55, 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35 Copyright © 1997-2026 The Apache Software Foundation. Apache HTTP Server, Apache, the Apache logo and the Apache HTTP
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-08
Published