SecAlerts
CVE ListPricingSign Up
langchain logo

langchain

Security Risk Profile

43
/100
medium

Security Risk Score

Comprehensive risk assessment based on 49 vulnerabilities, EPSS scores, exploitation status, and remediation availability.

📅 Data spans from April 5, 2023 to present

49
Total CVEs
42
Critical+High
1
Exploited
6
Unpatched

Threat Assessment

Avg CVSS
8.3
Base severity
Avg EPSS
0%
Exploit probability
Unpatched
6
Critical/High
Risk Level
43/100
medium
⚠️ 1 Active Exploits

Severity Distribution

Critical
23
High
19
Medium
5
Low
2

Exploit Likelihood

>50% chance
0
20-50%
0
5-20%
0
<5%
7

Age Distribution

Common Weaknesses (CWE)

1
SSRF
11
2
Code Injection
9
3
SQL Injection
6
4
Path Traversal
4
5
Input Validation
2

Most Affected Products

1. Langchain Langchain29
2. pip/langchain19
3. pip/langchain-core10
4. Langchain Langchain Core Python6
5. pip/langchain-community5

Recent Vulnerabilities

See more →
CVE-2026-44843
CVSS 8.2high

LangChain: Unsafe deserialization of attacker-controlled LangChain objects through overly broad `load()` allowlists

5/8/2026
CVE-2026-41488
CVSS 3.1low

angchain-openai: Image token counting SSRF protection can be bypassed via DNS rebinding

4/24/2026🔧 No Patch
CVE-2026-41481
CVSS 6.5medium

LangChain: HTMLHeaderTextSplitter.split_text_from_url SSRF Redirect Bypass

4/24/2026🔧 No Patch
CVE-2026-40087
CVSS 5.3medium

LangChain has incomplete f-string validation in prompt templates

4/8/2026
CVE-2026-34070
CVSS 7.5high

LangChain Core has Path Traversal vulnerabilites in legacy `load_prompt` functions

3/27/2026
CVE-2026-28277
CVSS 7.2EPSS 0%high

LangGraph: Unsafe msgpack deserialization in LangGraph checkpoint loading

3/5/2026
CVE-2026-25750
CVSS 8.5high

LangSmith Studio has URL Parameter Injection Vulnerability that Enables Token Theft via Malicious baseUrl

3/4/2026🔧 No Patch
CVE-2026-27795
CVSS 7.4EPSS 0%high

LangChain Community: redirect chaining can lead to SSRF bypass via RecursiveUrlLoader

2/25/2026
CVE-2026-26019
CVSS 4.1EPSS 0%medium

@langchain/community affected by SSRF Bypass in RecursiveUrlLoader via insufficient URL origin validation

2/11/2026
CVE-2026-26013
CVSS 3.7EPSS 0%low

LangChain affected by SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages

2/10/2026

Monitor langchain in Real-Time

Get instant alerts when new vulnerabilities are discovered. Stay ahead of security threats with SecAlerts.

Start Free TrialBook a Demo
Powered bySecAlerts

Monitor Your Software Stack in Real-Time

Get instant alerts when vulnerabilities are discovered in your software stack. Stay ahead of security threats with SecAlerts.

Start Free TrialBook a Demo
AboutNewsDocumentationTermsContact

© 2026 SecAlerts Pty Ltd. All rights reserved.