CVE-2026-25481

Name of the Vulnerable Software and Affected Versions Langroid versions prior to 0.59.32

Description Langroid is a framework used for building applications powered by large-language-models. A weakness exists in the TableChatAgent component where the Web Application Firewall (WAF) can be bypassed. This bypass is due to a flaw in the literal ok() function, which incorrectly returns False instead of raising an error when encountering invalid input. This, combined with unrestricted access to dangerous dunder attributes such as init, globals, and builtins, allows attackers to chain whitelisted DataFrame methods to access the eval builtin and ultimately execute arbitrary code. The issue allows for Remote Code Execution (RCE).

Recommendations Update to version 0.59.32 or later. Review deployments for potential exposure.