CISA added CVE-2025-34291 affecting Langflow and CVE-2026-34926 affecting on-premise Trend Micro Apex One to the Known Exploited Vulnerabilities catalog due to evidence of active exploitation. CVE-2025-34291 is an origin validation error with a CVSS score of 9.4 that can enable arbitrary code execution and full system compromise. CVE-2026-34926 is a directory traversal flaw with a CVSS score of 6.7 that can allow a pre-authenticated local attacker to modify a key table and inject malicious code for deployment to agents. Obsidian Security linked CVE-2025-34291 exploitation to permissive CORS, missing CSRF protection, and an endpoint that allows code execution by design. Ctrl-Alt-Intel reported exploitation by the Iranian MuddyWater group for initial access. Trend Micro observed at least one attempt to exploit CVE-2026-34926 in the wild and noted it requires on-premise access and administrative credentials.
"The impact is severe: successful exploitation not only compromises the Langflow instance but also exposes all sensitive access tokens and API keys stored within the workspace. This can trigger a cascading compromise across all integrated downstream services in cloud and SaaS environments."
"In a report published in December 2025, Obsidian Security said CVE-2025-34291 exploits three combined weaknesses: overly Permissive CORS, lack of cross-site request forgery (CSRF) protection, and an endpoint that allows code execution by design."
"In a report published in March 2026, Ctrl-Alt-Intel said the vulnerability had been exploited by an Iranian hacking group named MuddyWater to obtain initial access to target networks."
"Trend Micro said it "observed at least one instance of an attempt to actively exploit one of these vulnerabilities in the wild." "This vulnerability is only exploitable on the on-premise version of Apex One and a potential attacker must have access to the Apex One Server and already obtained administrative credentials to the server via some other method to exploit this vulnerability," it added."
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]