{"data":{"id":"047041d6-4758-4d2b-91cd-82b229a533ce","title":"CVE-2026-26019: LangChain is a framework for building LLM-powered applications. Prior to 1.1.14, the RecursiveUrlLoader class in @langch","summary":"LangChain's RecursiveUrlLoader (a web crawler that follows links across pages) had a security flaw in versions before 1.1.14 where its preventOutside option used weak URL comparison that attackers could bypass. An attacker could trick the crawler into visiting unintended domains by creating links with similar prefixes, or into accessing internal services like cloud metadata endpoints and private IP addresses that should be off-limits.","solution":"Update LangChain to version 1.1.14 or later, which fixes this vulnerability.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-26019","publishedAt":"2026-02-11T22:15:51.910Z","cveId":"CVE-2026-26019","cweIds":["CWE-918"],"cvssScore":"4.1","cvssSeverity":"medium","severity":"medium","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["LangChain"],"affectedVendorsRaw":["LangChain"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.0001,"patchAvailable":null,"disclosureDate":null,"capecIds":["CAPEC-664"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity"],"aiComponentTargeted":"framework","llmSpecific":false,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}