CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-46946
https://notcve.org/view.php?id=CVE-2024-46946
19 Sep 2024 — langchain_experimental (aka LangChain Experimental) 0.1.17 through 0.3.0 for LangChain allows attackers to execute arbitrary code through sympy.sympify (which uses eval) in LLMSymbolicMathChain. LLMSymbolicMathChain was introduced in fcccde406dd9e9b05fc9babcbeb9ff527b0ec0c6 (2023-10-05). • https://cwe.mitre.org/data/definitions/95.html • CWE-20: Improper Input Validation •
CVSS: 8.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-21513
https://notcve.org/view.php?id=CVE-2024-21513
15 Jul 2024 — Versions of the package langchain-experimental from 0.0.15 and before 0.0.21 are vulnerable to Arbitrary Code Execution when retrieving values from the database, the code will attempt to call 'eval' on all values. An attacker can exploit this vulnerability and execute arbitrary python code if they can control the input prompt and the server is configured with VectorSQLDatabaseChain. **Notes:** Impact on the Confidentiality, Integrity and Availability of the vulnerable component: Confidentiality: Code execut... • https://github.com/langchain-ai/langchain/blob/672907bbbb7c38bf19787b78e4ffd7c8a9026fe4/libs/experimental/langchain_experimental/sql/vector_sql.py%23L81 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-38459
https://notcve.org/view.php?id=CVE-2024-38459
16 Jun 2024 — langchain_experimental (aka LangChain Experimental) before 0.0.61 for LangChain provides Python REPL access without an opt-in step. NOTE; this issue exists because of an incomplete fix for CVE-2024-27444. langchain_experimental (también conocido como LangChain Experimental) anterior a 0.0.61 para LangChain proporciona acceso a Python REPL sin un paso de suscripción. NOTA; Este problema existe debido a una solución incompleta para CVE-2024-27444. • https://github.com/langchain-ai/langchain/commit/ce0b0f22a175139df8f41cdcfb4d2af411112009 • CWE-276: Incorrect Default Permissions •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27444
https://notcve.org/view.php?id=CVE-2024-27444
26 Feb 2024 — langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-44467 fix and execute arbitrary code via the __import__, __subclasses__, __builtins__, __globals__, __getattribute__, __bases__, __mro__, or __base__ attribute in Python code. These are not prohibited by pal_chain/base.py. langchain_experimental (también conocido como LangChain Experimental) en LangChain anterior a 0.1.8 permite a un atacante eludir la corrección CVE-2023-44467 y ejecutar ... • https://github.com/langchain-ai/langchain/commit/de9a6cdf163ed00adaf2e559203ed0a9ca2f1de7 • CWE-749: Exposed Dangerous Method or Function •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-44467
https://notcve.org/view.php?id=CVE-2023-44467
09 Oct 2023 — langchain_experimental (aka LangChain Experimental) in LangChain before 0.0.306 allows an attacker to bypass the CVE-2023-36258 fix and execute arbitrary code via __import__ in Python code, which is not prohibited by pal_chain/base.py. langchain_experimental 0.0.14 permite a un atacante omitir la corrección CVE-2023-36258 y ejecutar código arbitrario a través de PALChain en el método python exec. • https://github.com/langchain-ai/langchain/commit/4c97a10bd0d9385cfee234a63b5bd826a295e483 •