What is the CVSS score of EUVD-2026-32494?

EUVD-2026-32494 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.3%.

Which versions of IBM Langflow are affected by EUVD-2026-32494?

IBM Langflow open-source platform versions 1.0.0-1.9.1 contain a critical unauthenticated remote code execution vulnerability enabling attackers to execute arbitrary code on affected systems through…

IBM Langflow EUVD-2026-32494

| CVE-2026-7524 CRITICAL

Path Traversal (CWE-22)

2026-05-27 psirt@us.ibm.com

GHSA-25hm-qrp9-f25g

RCE Path Traversal IBM

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

May 27, 2026 - 19:49 vuln.today

DescriptionNVD

IBM Langflow OSS 1.0.0 through 1.9.1 could allow remote code execution due to improper validation of symbolic links during archive extraction.

AnalysisAI

Remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.1 lets unauthenticated network attackers run arbitrary code by abusing how the platform handles symbolic links while unpacking uploaded archives. Because extraction does not properly validate symlink targets, a crafted archive can write files outside the intended directory and ultimately achieve code execution on the host. …

RemediationAI

Within 24 hours: Conduct inventory of all systems running IBM Langflow versions 1.0.0-1.9.1; isolate affected instances from production networks and disable or restrict archive upload functionality. Within 7 days: Deploy WAF rules to block suspicious archive uploads, enable filesystem and process execution logging, and scan for forensic indicators of compromise (unusual child processes, file modifications outside intended directories). …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-8175 CRITICAL Act Now

9.8 May 27

Remote code execution and authentication bypass are possible in IBM Aspera High-Speed Transfer Server and High-Speed Tra

CVE-2026-7876 CRITICAL Act Now

9.1 May 27

Authentication bypass in IBM Aspera High-Speed Transfer Server for Cloud Pak for Integration (CP4I) versions 1.5.1 throu

CVE-2026-5065 HIGH This Week

8.8 May 27

Hard-coded credentials in IBM Controller (versions 11.0.1, 11.1.0, 11.1.1, and 11.1.2) give attackers a static, embedded

CVE-2026-8179 HIGH This Week

8.8 May 27

Arbitrary code execution in IBM Aspera High-Speed Transfer Server and Endpoint (versions 3.7.4 through 4.4.7 Fix Pack 1)

CVE-2026-7365 HIGH This Week

8.4 May 27

Authentication bypass in IBM Operations Analytics - Log Analysis and IBM SmartCloud Analytics - Log Analysis (Operations

EUVD-2026-32494 vulnerability details – vuln.today

Back

IBM Langflow EUVD-2026-32494

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

More from same product – last 7 days

Share

External POC / Exploit Code