AI description
CVE-2026-7687 describes a command injection vulnerability found in `langflow-ai langflow` versions up to 1.8.4. The flaw specifically resides within the `CodeParser.parse_callable_details` function, located in the `src/lfx/src/lfx/custom/code_parser/code_parser.py` file, which is part of the Full Builtins Module Handler component. This vulnerability allows an authenticated remote attacker to manipulate parser inputs, leading to the injection and execution of arbitrary commands. The exploit for this issue has been publicly disclosed, and the vendor reportedly did not respond to initial disclosure attempts.
- Description
- A vulnerability was determined in langflow-ai langflow up to 1.8.4. Affected by this issue is the function CodeParser.parse_callable_details of the file src/lfx/src/lfx/custom/code_parser/code_parser.py of the component Full Builtins Module Handler. Executing a manipulation can lead to command injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
- Source
- cna@vuldb.com
- NVD status
- Deferred
CVSS 4.0
- Type
- Secondary
- Base score
- 2.1
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- LOW
CVSS 3.1
- Type
- Primary
- Base score
- 6.3
- Impact score
- 3.4
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- Severity
- MEDIUM
CVSS 2.0
- Type
- Secondary
- Base score
- 6.5
- Impact score
- 6.4
- Exploitability score
- 8
- Vector string
- AV:N/AC:L/Au:S/C:P/I:P/A:P
- cna@vuldb.com
- CWE-74
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
6
šØ #Langflow Multi-CVE Exploit Kit š” **CVE-2026-7524 (Path Traversal) | CVE-2026-7700 (Lambda eval) | CVE-2026-7687 (CodeParser CMD Injection)** š§¬ **Multi-Vector RCE Exploitation Framework** š **Exploitation Chain:** 1. Create tar.gz with payload file + symlink poin
@YogSoth0
20 Jun 2026
2806 Impressions
12 Retweets
49 Likes
25 Bookmarks
2 Replies
0 Quotes
# Langflow Multi-CVE Exploit Kit **CVE-2026-7524 (Path Traversal) | CVE-2026-7700 (Lambda eval) | CVE-2026-7687 (CodeParse> **Military-Grade Multi-Vector RCE Exploitation Framework** #exploit #0days #CVE #CVSS #security #hacking https://t.co/hB4tr07PJW
@YogSoth0
15 Jun 2026
182 Impressions
0 Retweets
7 Likes
0 Bookmarks
1 Reply
0 Quotes
New 0days multi-exploit kit: Langflow Multi-CVE Reconnaissance Scanner Targets: CVE-2026-7524 (Path Traversal), CVE-2026-7700 (Lambda eval), CVE-2026-7687 (CodeParser) Military-grade async scanner with vulnerability fingerprinting and exploitability scoring. Soon on gibliz h
@YogSoth0
14 Jun 2026
220 Impressions
1 Retweet
4 Likes
1 Bookmark
1 Reply
0 Quotes