Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Langflow CVE-2026-33017 exploitation wave

Exploitation Wave
First reported
Last updated
Happening score
H score 58
2 unique sources, 2 articles

Summary

Hide ▲

CVE-2026-33017 in Langflow is being exploited in a fast-moving early wave that surfaced within 20 hours of the advisory, putting exposed instances at immediate risk of remote code execution and follow-on theft. Attackers built working exploits from the advisory description and began automated scanning across the internet. The activity already included credential harvesting from vulnerable systems, including databases, API keys, cloud credentials, and configuration files.

Cases

Langflow unauthenticated RCE exploitation and secret theft (2)

Related Happenings

MetInfo CMS unauthenticated PHP code injection actively exploited remote code execution flaw (CVE-2026-29014)

Vulnerability
First: 05.05.2026 14:56 Last: 05.05.2026 14:56 Sources 1

About this happening: **CVE-2026-29014** in **MetInfo CMS** is **actively exploited**, putting **versions 7.9, 8.0, and 8.1** at risk of **remote code execution** and full server takeover. **MetInfo**...

Open Happening

CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)

Exploitation Wave
First: 04.05.2026 11:25 Last: 04.05.2026 11:25 Sources 1

About this happening: Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...

Open Happening

TP-Link router authenticated command injection (CVE-2023-33538)

Vulnerability
First: 20.04.2026 10:50 Last: 20.04.2026 10:50 Sources 1

About this happening: **CVE-2023-33538** in **discontinued TP-Link routers** is still being probed, leaving exposed devices at risk of **arbitrary command execution** and **denial of service** if attac...

Open Happening

Nginx UI auth-bypass exploitation wave (CVE-2026-33032)

Exploitation Wave
First: 16.04.2026 01:35 Last: 16.04.2026 01:35 Sources 1

About this happening: **CVE-2026-33032** is now **actively exploited**, creating immediate risk for **publicly exposed Nginx UI** instances that rely on the vulnerable **/mcp_message** endpoint. Intern...

Open Happening

Marimo CVE-2026-39987 exploitation wave

Exploitation Wave
First: 12.04.2026 17:20 Last: 12.04.2026 17:20 Sources 1

About this happening: **Marimo** exploitation activity surged **within 12 hours of disclosure**, with **125 IP addresses** beginning reconnaissance against **CVE-2026-39987** and the **/terminal/ws** e...

Open Happening

Timeline

  1. 20.03.2026 12:20 1 articles · 2mo ago

    March 17 advisory discloses CVE-2026-33017 in Langflow

    Initial Disclosure

    A March 17 advisory disclosed CVE-2026-33017 in Langflow, an unauthenticated remote code execution flaw with CVSS 9.3 that lets attackers execute arbitrary Python code on exposed instances with a single HTTP request and no credentials.

    Show sources
    Open in new tab
  2. 20.03.2026 12:20 3 articles · 2mo ago

    Observed exploit activity against exposed Langflow instances

    Exploitation Observed

    Sysdig reported on March 20 that honeypots saw threat actors build working exploits directly from the advisory description, scan exposed Langflow instances from four source IPs using the same payload, and use custom Python exploit scripts delivered via a stage-2 dropper to harvest databases, API keys, cloud credentials, and configuration files.

    Show sources
    Open in new tab