Description
A flaw has been found in langflow-ai langflow up to 1.8.3. This affects an unknown function of the file src/frontend/src/modals/IOModal/components/chatView/chatMessage/components/edit-message.tsx of the component Frontend React Component Rendering. Executing a manipulation can lead to cross site scripting. The attack may be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-20
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: Cross‑Site Scripting via frontend React component rendering
Action: Apply Patch
AI Analysis

Impact

A flaw in langflow‑ai's Langflow up to version 1.8.3 allows a malicious user to inject arbitrary scripts into the edit‑message component when the unknown function is executed. The attack requires the ability to manipulate data that is rendered by the frontend, and can be launched remotely. The resulting cross‑site scripting can lead to execution of attacker code in users’ browsers, enabling cookie theft, session hijacking, and defacement. The weakness is identified as CWE‑79.

Affected Systems

langflow‑ai’s Langflow, versions up to 1.8.3, specifically the file src/frontend/src/modals/IOModal/components/chatView/chatMessage/components/edit‑message.tsx in the frontend React component rendering.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity, and no EPSS data is available. The vulnerability is not listed in the CISA KEV catalog. Attackers can remotely exploit the flaw by manipulating data sent to the edit‑message component. Published exploits indicate that the flaw can be used to inject and execute arbitrary scripts in the victim’s browser context.

Generated by OpenCVE AI on April 20, 2026 at 05:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Langflow release where the known XSS issue is resolved.
  • Apply a strict Content Security Policy that restricts execution of inline scripts and disables unsafe eval.
  • Ensure that any user‑supplied data displayed by the edit‑message component is properly sanitized or escaped before rendering; for React, use built‑in escaping or a library such as DOMPurify.

Generated by OpenCVE AI on April 20, 2026 at 05:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 04:00:00 +0000

Type Values Removed Values Added
Description A flaw has been found in langflow-ai langflow up to 1.8.3. This affects an unknown function of the file src/frontend/src/modals/IOModal/components/chatView/chatMessage/components/edit-message.tsx of the component Frontend React Component Rendering. Executing a manipulation can lead to cross site scripting. The attack may be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title langflow-ai langflow Frontend React Component Rendering edit-message.tsx cross site scripting
First Time appeared Langflow
Langflow langflow
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*
Vendors & Products Langflow
Langflow langflow
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Langflow Langflow
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-20T03:15:12.169Z

Reserved: 2026-04-19T13:47:09.549Z

Link: CVE-2026-6600

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-20T04:16:54.603

Modified: 2026-04-20T04:16:54.603

Link: CVE-2026-6600

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T05:30:44Z

Weaknesses