CVE-2026-7687

Name of the Vulnerable Software and Affected Versions langflow versions prior to 1.8.5

Description A command injection issue exists in the Full Builtins Module Handler component. The flaw is located in the parse callable details() function within the src/lfx/src/lfx/custom/code parser/code parser.py file. A remote attacker can execute a manipulation to perform command injection, which allows the execution of arbitrary system commands on the host operating system.

Recommendations Update to version 1.8.5 or later. As a temporary workaround, restrict access to the parse callable details() function until the update is applied.