← All articles

CISA adds two to KEV: Langflow CVE-2025-34291 (Flodric botnet) and Trend Micro Apex One CVE-2026-34926 (directory traversal)

CISA has added two new entries to its Known Exploited Vulnerabilities catalog. CVE-2025-34291 is an origin-validation/CORS chain in Langflow, a popular open-source AI agent framework, that lets a malicious webpage exfiltrate refresh tokens and reach the code-validation endpoint for full RCE. Active exploitation began on January 23, 2026, and threat actors have been deploying the Flodric botnet through compromised instances. CVE-2026-34926 is a directory-traversal flaw in Trend Micro Apex One (On-Premise) that allows file read or write outside the intended path. FCEB agencies must remediate by June 11 per BOD 22-01; CISA urges all organisations to do the same.

Check
Inventory Langflow deployments and confirm version is 1.9.3 or later (CVE-2025-34291 patched). Inventory Trend Micro Apex One On-Premise deployments and check patch level for CVE-2026-34926.
Affected
Langflow before 1.9.3 (Flodric botnet seen exploiting in the wild). Trend Micro Apex One On-Premise (specific affected versions per Trend's KA-0023430 advisory). Internet-facing instances are at highest risk.
Fix
Upgrade Langflow to 1.9.3+ and Apex One per Trend Micro's KA-0023430. FCEB agencies must remediate by June 11. Restrict the affected admin consoles to management networks behind VPN.