CVE-2026-54771
Received
Received - Intake
Remote Code Execution in Langroid Framework
Vulnerability report for CVE-2026-54771, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-10
Last updated on: 2026-07-10
Assigner: GitHub, Inc.
Description
Description
Langroid is a framework for building large-language-model-powered applications. Prior to version 0.65.3, a Langroid application exposing a chat interface to untrusted users may allow direct tool invocation via raw JSON payloads, even when tools are registered with `use=False, handle=True`. Version 0.65.3 fixes the issue.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| langroid | langroid | to 0.65.3 (exc) |
| langroid | langroid | to 0.65.6 (inc) |
| langroid | langroid | 0.65.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-75 | The product does not adequately filter user-controlled input for special elements with control implications. |