FAIL › dossier
Dossier not yet built — the RAG curator builds one for players with ≥2 failure events (factory/dossier.py). The failure history and sentiment below are live.
| Date | Event | Sev | Flags | Shame | Summary |
|---|---|---|---|---|---|
| 2026-05-21 | CVE-2025-34291 | high | ⚡RCE ⌖KEV | 85 | Langflow's overly permissive CORS and SameSite=None cookie settings enable cross-origin credential theft leading to full system compromise. |
| 2026-05-21 | CVE-2025-34291 | high | ⚡RCE ⌖KEV | 85 | Langflow's overly permissive CORS and SameSite=None cookie settings enable cross-origin credential theft leading to full system compromise. |
| 2026-03-25 | CVE-2026-33017 | high | ⚡RCE ⌖KEV | 65 | Langflow allows unauthenticated public flow creation via code injection, enabling attackers to bypass security controls. |
| 2026-03-25 | CVE-2026-33017 | high | ⚡RCE ⌖KEV | 65 | Langflow allows unauthenticated public flow creation via code injection, enabling attackers to bypass security controls. |
| 2026-07-07 | CVE-2026-55255 | high | ⌖KEV | 45 | Langflow allows authenticated attackers to execute any user's flow by specifying a victim's flow ID, bypassing authorization controls. |
| 2026-07-07 | CVE-2026-55255 | high | ⌖KEV | 45 | Langflow allows authenticated attackers to execute any user's flow by specifying a victim's flow ID, bypassing authorization controls. |
| 2026-06-30 | CVE-2026-7663 | critical | 35 | IBM Langflow OSS 1.0.0 through 1.9.6 could allow unauthenticated attackers to access protected MCP project resources and execute MCP operations due to improper authorization enforcement in the Streamable MCP transport endpoint. | |
| 2026-06-30 | CVE-2026-7663 | critical | 35 | IBM Langflow OSS 1.0.0 through 1.9.6 could allow unauthenticated attackers to access protected MCP project resources and execute MCP operations due to improper authorization enforcement in the Streamable MCP transport endpoint. | |
| 2026-06-30 | CVE-2026-10560 | high | 25 | IBM Langflow OSS 1.0.0 through 1.9.6 contains a missing authentication vulnerability in /api/v1/build_public_tmp/ endpoints that allows an unauthenticated attacker to read build event data or cancel jobs using a valid job identifier, resulting in information disclosure and denial | |
| 2026-06-30 | CVE-2026-10560 | high | 25 | IBM Langflow OSS 1.0.0 through 1.9.6 contains a missing authentication vulnerability in /api/v1/build_public_tmp/ endpoints that allows an unauthenticated attacker to read build event data or cancel jobs using a valid job identifier, resulting in information disclosure and denial |