Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code
endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.
{ "nvd_published_at": "2025-04-07T15:15:44Z", "cwe_ids": [ "CWE-306", "CWE-94" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2025-04-07T21:13:20Z" }