CVE-2026-3346: IBM Langflow Desktop 1.6.0 through 1.8.4 Lanflow is vulnerable to stored cross-site scripting. This vulnerability allows
Summary
IBM Langflow Desktop versions 1.6.0 through 1.8.4 has a stored cross-site scripting vulnerability (XSS, a flaw where an attacker can inject malicious code that gets saved and executed in a web interface). An authenticated user can embed JavaScript code in the Web UI, which could alter how the application works and potentially expose user credentials to attackers who access the same session.
Vulnerability Details
6.4(medium)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
network
low
low
none
April 30, 2026
Classification
Affected Vendors
Related Issues
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-3346
First tracked: May 1, 2026 at 02:07 AM
Classified by LLM (prompt v3) · confidence: 85%