CVE-2026-50180

langroid · langroid

The Langroid framework is vulnerable to path traversal and SQL injection attacks, allowing unauthenticated remote attackers to compromise data integrity and confidentiality.

Executive summary

The Langroid framework is susceptible to multiple high-severity vulnerabilities, including path traversal and SQL injection, which could lead to unauthorized data access.

Vulnerability

This vulnerability encompasses improper limitation of pathnames to restricted directories (CWE-22) and improper neutralization of SQL command elements (CWE-89). Unauthenticated attackers can leverage these flaws to manipulate file system access or execute arbitrary database queries.

Business impact

The combination of path traversal and SQL injection poses a severe threat to the confidentiality and integrity of applications built on the Langroid framework. With a CVSS score of 8.7, this flaw could allow attackers to exfiltrate sensitive data or manipulate backend application logic, leading to significant reputational and operational damage.

Remediation

Immediate Action: Update the Langroid framework to version 0.64.0 or later immediately to resolve these injection vectors.

Proactive Monitoring: Review application logs for patterns indicative of path traversal (e.g., ../ sequences) or suspicious SQL syntax injected into input fields.

Compensating Controls: Deploy a Web Application Firewall (WAF) configured with rules to detect and block common SQL injection and directory traversal payloads.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Given the severity of these injection vulnerabilities, users of the Langroid framework must prioritize the upgrade to version 0.64.0. Failure to patch these flaws leaves applications exposed to trivial data exfiltration and potential system-level compromise.