CVE-2026-5027

HIGH · 8.8 EPSS 2.3%

hype MIXED · 42 hack

Credible vulnerability class but unverified "active exploitation" claims; low EPSS; no PoC or patch evidence.

What: Path traversal vulnerability in Langflow's POST /api/v2/files endpoint allowing unauthenticated arbitrary file write via unsanitized filename parameter (CVSS 8.8).

Why it matters: Social chatter claims active in-the-wild exploitation for RCE on unpatched Langflow instances, but CVE is not KEV-listed and EPSS is extremely low (0.1%). Claims of "active exploitation" lack corroborating PoC links, vendor advisory dates, or defender triage reports. Hacker News coverage amplifies unverified assertions.

Where it's seen: Recycled Hacker News headlines across Bluesky; Indonesian security blog; sensationalized "silent crisis" framing; no linked PoCs, no vendor patch timeline, no defender confirmation.

RISK: HIGH — High CVSS, unauthenticated RCE path, but unconfirmed exploitation signal and absent KEV listing.

Generated by claude-haiku-4-5 from public posts and authoritative metadata. AI can make mistakes — verify against vendor advisories before acting. 6/11/2026, 12:34:36 PM

Description

The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences ('../').

CVSS 3.1 breakdown

Exploitability 2.8 · Impact 5.9

vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack vector: Network
Complexity: Low
Privileges required: Low
User interaction: None
Scope: Unchanged
Confidentiality: High
Integrity: High
Availability: High

Weaknesses

CWE-22

References

Other · 1

https://www.tenable.com/security/research/tra-2026-26