Ai-Tooling

• Langflow CVE-2026-33017: Unauthenticated RCE Exploited Within 20 Hours, Now on CISA KEV March 26, 2026

  CVE-2026-33017 is a CVSS 9.3 unauthenticated RCE in Langflow's public flow build endpoint. Attackers were scanning and exploiting within 20 hours of disclosure -- with no public PoC. CISA added it to the KEV catalog on March 25. If you run Langflow, upgrade to v1.9.0 now.