The U.S. Cybersecurity and Infrastructure Security Agency just added two vulnerabilities that are actively being exploited, and they hit Langflow as well as Trend Micro Apex One, to its Known Exploited Vulnerabilities catalog. Honestly, this sort of move usually means the issues are already showing up in real-world attacks, and so they really should be treated as urgent patching priorities, not later down the line.
So the first vulnerability, CVE-2025-34291, hits Langflow, and it comes in at a critical severity level; itβs basically pretty serious. From what I can tell, it traces back to an origin validation issue. In practice, this could let an attacker run arbitrary code, and if that works the way itβs expected, they might even end up with full control over the impacted system.
Security researchers earlier pointed out that the Langflow flaw kind of ties together several weaknesses at once, like overly permissive CORS settings, a lack of CSRF protection, and an endpoint that, by design, lets code execute. If an attacker is able to exploit it, they could end up with sensitive tokens, API keys, and even connected services. That could in turn raise the likelihood of a broader compromise across cloud and SaaS setups.
The vulnerability has reportedly been used by the Iranian state-sponsored group MuddyWater to get initial access to target networks, so its kinda more concerning for orgs that use Langflow in production environments.
CVE-2026-34926, the second vulnerability, affects the on-premises releases of Trend Micro Apex One. It's basically a directory traversal weakness, which means a local attacker with some prior access and administrative credentials could potentially tamper with server-side components, then slip in malicious code. That injected payload might later get pushed out and used by connected agents.
Trend Micro has confirmed at least one attempt to use the flaw in the wild. While it does need existing access to the Apex One server, the situation is still quite serious because endpoint security platforms typically have wide visibility and control over enterprise environments.
Federal agencies were instructed to apply fixes by June 4, 2026. Private organizations, too, should move with some urgency, updating the affected systems, doing a quick review of access controls, taking a look at the logs, and rotating any exposed secrets where needed.
Cybersecurity firms like IntelligenceX sort of help orgs lessen those risks, via vulnerability monitoring that stays on and patch prioritization sometimes too, threat intelligence, and then incident response readiness.
For security teams, the key takeaway is sorta simple, really. When a vulnerability gets into the KEV catalog, it is no longer just theoretical; it becomes real. It should be looked at, patched, and closely observed right away, not later.
Top comments (0)