CVE-2025-6984: The langchain-ai/langchain project, specifically the EverNoteLoader component, is vulnerable to XML External Entity (XXE
Summary
The EverNoteLoader component in langchain-ai/langchain version 0.3.63 has a security flaw that allows XXE (XML External Entity) attacks, where an attacker tricks the XML parser into reading external files by embedding special references in XML input. This could expose sensitive system files like password lists to an attacker.
Vulnerability Details
EPSS: 0.0%
Classification
Affected Vendors
Related Issues
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
Original source: https://nvd.nist.gov/vuln/detail/CVE-2025-6984
First tracked: February 15, 2026 at 08:35 PM
Classified by LLM (prompt v3) · confidence: 95%