Critical Langflow flaw added to CISA KEV list amid ongoing exploitation evidence
A recently disclosed critical security flaw impacting the open-source Langflow platform has been added to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), citing evidence of active exploitation.
The vulnerability, tracked as CVE-2025-3248, carries a CVSS score of 9.8 out of a maximum of 10.0.
“Langflow contains a missing authentication vulnerability in the /api/v1/validate/code endpoint that allows a remote, unauthenticated attacker to execute arbitrary code via crafted HTTP requests,” CISA said.
Read more at The Hacker News