SSRF and XSS Vulnerability Disclosures in LeafKit and LangChain Community
Multiple application-layer vulnerabilities were disclosed across popular developer components, including an XSS escaping bypass in LeafKit (Vapor’s Swift templating engine) and an SSRF bypass in @langchain/community. Vapor released an updated LeafKit version to address an HTML escaping flaw where Unicode extended grapheme clusters could bypass escaping in Leaf templates: Swift treats certain sequences as a single character while browsers parse them as multiple characters, enabling attackers to break out of HTML attributes and inject malicious attributes/scripts. The issue was reported by bawolff and fixed in a LeafKit release referenced by Vapor’s advisory.
Separately, @langchain/community was reported vulnerable to CVE-2026-26019 (also tracked as GHSA-gf3v-fwqg-4vh7), affecting versions ≤ 1.1.13 and fixed in 1.1.14. The flaw sits in RecursiveUrlLoader, where a non-semantic String.startsWith() check could be bypassed with crafted hostnames (e.g., https://example.com.attacker.com), and where insufficient filtering allowed access to private/reserved IP ranges and cloud metadata endpoints such as 169.254.169.254, potentially exposing IAM credentials/tokens in cloud-hosted deployments. A separate write-up describes a different SSRF scenario involving a misconfigured Sentry tunnel endpoint and provides general SSRF background, but it does not appear to be part of the same LeafKit or LangChain disclosure.
Timeline
Feb 18, 2026
Vapor publishes LeafKit XSS vulnerability post
The Vapor Blog published a post about a LeafKit HTML escaping vulnerability. No further details were provided in the reference content to extract additional distinct events.
Feb 17, 2026
LangChain fixes CVE-2026-26019 in version 1.1.14
LangChain addressed the SSRF bypass in @langchain/community version 1.1.14 by adding strict origin validation with the URL API and SSRF filtering utilities to block private, loopback, metadata, and non-HTTP(S) targets. Users unable to upgrade were advised to avoid untrusted content and isolate RecursiveUrlLoader from internal networks.
Feb 17, 2026
LangChain Community SSRF bypass vulnerability identified
A server-side request forgery bypass flaw affecting @langchain/community versions up to 1.1.13 was identified and assigned CVE-2026-26019. The issue involved RecursiveUrlLoader domain validation using startsWith() and inadequate blocking of private and reserved IP ranges, allowing access to internal services and cloud metadata endpoints.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Sources
Related Stories
LangChain Flaws Enable Information Disclosure and Security Bypass
German CERT advisories disclosed two vulnerabilities in **LangChain**, warning that the framework is affected by flaws that can lead to **information disclosure** and the **bypassing of security measures**. The issues were published in separate notices, identified as `2026-0877` and `2026-1010`, indicating multiple security weaknesses affecting the widely used LLM application framework. The advisories provide limited public detail, but the reported impact suggests attackers could expose sensitive data and circumvent protections built into LangChain-based deployments. Organizations using LangChain should review the affected advisories, identify exposed implementations, and prioritize vendor guidance, patching, and compensating controls to reduce the risk of data exposure and weakened application security.
6 days ago
LangChain Serialization Injection Vulnerabilities Enable Secret Extraction
Two critical serialization injection vulnerabilities were discovered in the LangChain framework, which is widely used for building LLM-powered applications. The first vulnerability (CVE-2025-68665) affects the `toJSON()` method in LangChain JS and related serialization routines, where user-controlled data containing the reserved `lc` key could be misinterpreted as legitimate LangChain objects during deserialization. The second vulnerability (CVE-2025-68664) impacts the `dumps()` and `dumpd()` functions, allowing attacker-supplied dictionaries with the `lc` key to be treated as internal objects, potentially leading to the extraction of secrets or the instantiation of internal classes with attacker-defined parameters. Both vulnerabilities are remotely exploitable and have been patched in recent versions of LangChain and LangChain Core. Exploitation of these flaws could allow attackers to extract sensitive information such as environment variables or manipulate application behavior by injecting malicious data structures. Organizations using affected versions of LangChain are strongly advised to upgrade to the patched releases—@langchain/core versions 0.3.80 and 1.1.8, langchain versions 0.3.37 and 1.2.3 for CVE-2025-68665, and langchain-core 0.3.81 and 1.2.5 for CVE-2025-68664—to mitigate the risk of exploitation.
1 months ago
Cross-Site Scripting Vulnerabilities in SiYuan, Angular, and @leanprover/unicode-input-component
Multiple newly reported **cross-site scripting (XSS)** vulnerabilities affect unrelated software products, including **SiYuan**, **Angular**, and **@leanprover/unicode-input-component**. In SiYuan, incomplete SVG sanitization can let an unauthenticated attacker deliver a crafted URL that executes arbitrary JavaScript in the application's origin, enabling theft of session tokens, cookies, and API keys, as well as unauthorized access to notes, document contents, and configuration data. In Electron-based deployments, the impact may escalate to **remote code execution** if insecure web preferences such as `nodeIntegration` are enabled or `contextIsolation` is disabled. Angular disclosed a separate XSS flaw, tracked as **CVE-2026-32635**, caused by a sanitization bypass involving internationalized security-sensitive attributes such as `href` when combined with untrusted data binding; fixed versions include `22.0.0-next.3`, `21.2.4`, `20.3.18`, and `19.2.20`. A third, distinct issue, **CVE-2026-32732**, affects **@leanprover/unicode-input-component** and allows arbitrary JavaScript execution in a victim's browser session, potentially enabling session abuse, data access, and unauthorized backend requests. These are separate vulnerability disclosures rather than a single coordinated incident, and the content is substantive security reporting rather than fluff.
1 months ago