CISA has mandated urgent patching for two actively exploited vulnerabilities: CVE-2026-33017, a critical (CVSS 9.8) code injection flaw in Langflow allowing RCE, affecting versions prior to 1.8.2, and CVE-2026-33634, a high-severity (CVSS 8.8) supply chain compromise in Aqua Security's Trivy scanner. Langflow must be upgraded to version 1.8.2, while affected Trivy components require updates to versions 0.2.6 or 0.35.0, and affected LiteLLM components require updates beyond versions 1.82.7 and 1.82.8.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added two new vulnerabilities to its Known Exploited Vulnerabilities catalog: CVE-2026-33017, a recently disclosed code injection vulnerability in Langflow, an open-source framework for building AI agents and workflows, and CVE-2026-33634, an embedded malicious code vulnerability in Aqua Security’s Trivy security scanner. Their addition to the catalog means that US federal civilian agencies are required to address the flaws within their networks by April 8 and 9, … More → The post CISA sounds alarm on Langflow RCE, Trivy supply chain compromise after rapid exploitation appeared first on Help Net Security .