CVE-2026-7524
published 2026-05-27CVE-2026-7524: IBM Langflow OSS 1.0.0 through 1.9.1 could allow remote code execution due to improper validation of symbolic links during archive extraction.
PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.62%
45.4th percentile
IBM Langflow OSS 1.0.0 through 1.9.1 could allow remote code execution due to improper validation of symbolic links during archive extraction.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ibm | langflow_oss | 1.0.0 – 1.9.1 | — |
| langflow | langflow | 1.0.0 – 1.9.1 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
IBM Langflow OSS up to 1.9.1 Archive Extraction path traversal
vuldb·2026-05-27·CVSS 9.8
CVE-2026-7524 [CRITICAL] IBM Langflow OSS up to 1.9.1 Archive Extraction path traversal
A vulnerability was found in IBM Langflow OSS up to 1.9.1. It has been classified as critical. This impacts an unknown function of the component Archive Extraction Handler. Performing a manipulation results in path traversal.
This vulnerability is identified as CVE-2026-7524. The attack can be initiated remotely. There is not any exploit available.
Upgrading the affected component is recommended.
GHSA
GHSA-25hm-qrp9-f25g: IBM Langflow OSS 1
ghsa_unreviewed·2026-05-27
CVE-2026-7524 [CRITICAL] CWE-22 GHSA-25hm-qrp9-f25g: IBM Langflow OSS 1
IBM Langflow OSS 1.0.0 through 1.9.1 could allow remote code execution due to improper validation of symbolic links during archive extraction.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-27
Published