CVE-2026-3346 - Vulnerability Details - OpenCVE

IBM Langflow Desktop 1.6.0 through 1.8.4 Lanflow is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Vendors	Products
Ibm	Langflow Desktop

No data.

No data.

No data.

References

Link	Providers
https://www.ibm.com/support/pages/node/7271095

History

Thu, 30 Apr 2026 21:15:00 +0000

Type	Values Removed	Values Added
Description		IBM Langflow Desktop 1.6.0 through 1.8.4 Lanflow is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
Title		Stored Cross-Site Scripting (XSS) in Langflow Markdown Rendering via rehypeRaw
First Time appeared		Ibm Ibm langflow Desktop
Weaknesses		CWE-89
CPEs		cpe:2.3:a:ibm:langflow_desktop:1.6.0:::::::* cpe:2.3:a:ibm:langflow_desktop:1.8.4:::::::*
Vendors & Products		Ibm Ibm langflow Desktop
References		https://www.ibm.com/support/pages/node/7271095
Metrics		cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: ibm

Published: 2026-04-30T21:06:10.276Z

Updated: 2026-04-30T21:06:10.276Z

Reserved: 2026-02-27T16:11:36.537Z

Link: CVE-2026-3346

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-30T21:16:32.610

Modified: 2026-04-30T21:16:32.610

Link: CVE-2026-3346

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3346", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "state": "PUBLISHED", "assignerShortName": "ibm", "dateReserved": "2026-02-27T16:11:36.537Z", "datePublished": "2026-04-30T21:06:10.276Z", "dateUpdated": "2026-04-30T21:06:10.276Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2026-04-30T21:06:10.276Z"}, "title": "Stored Cross-Site Scripting (XSS) in Langflow Markdown Rendering via rehypeRaw", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "affected": [{"vendor": "IBM", "product": "Langflow Desktop", "versions": [{"status": "affected", "version": "1.6.0", "lessThanOrEqual": "1.8.4", "versionType": "semver"}], "cpes": ["cpe:2.3:a:ibm:langflow_desktop:1.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:langflow_desktop:1.8.4:*:*:*:*:*:*:*"]}], "descriptions": [{"lang": "en", "value": "IBM Langflow Desktop 1.6.0 through 1.8.4 Lanflow is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>IBM Langflow Desktop 1.6.0 through 1.8.4 Lanflow is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.</p>"}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7271095", "tags": ["vendor-advisory", "patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 6.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "solutions": [{"lang": "en", "value": "IBM recommends addressing the vulnerability now by upgrading to IBM Langflow Desktop 1.9.0 or newer https://www.langflow.org/blog/langflow-1-8-desktopIf you are already using Langflow Desktop, upgrade in the application to version 1.9.0To install Langflow Desktop for the first time, visit Download Langflow Desktop.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>IBM recommends addressing the vulnerability now by upgrading to IBM Langflow Desktop 1.9.0 or newer <a href=\"https://www.langflow.org/blog/langflow-1-8-desktop\" rel=\"nofollow\">https://www.langflow.org/blog/langflow-1-8-desktop</a></p><p>If you are already using Langflow Desktop, upgrade in the application to version 1.9.0</p><p>To install Langflow Desktop for the first time, visit <a href=\"https://langflow.org/desktop\" rel=\"nofollow\">Download Langflow Desktop</a>.</p>"}]}], "x_generator": {"engine": "ibm-cvegen"}}}}