A vulnerability, which was classified as critical , has been found in langflow-ai langflow up to 1.9.3 . This affects an unknown function of the component Bundle URL Loader . The manipulation leads to code injection. This vulnerability is documented as CVE-2026-12822 . The attack needs to be performed locally. Additionally, an exploit exists. The vendor was contacted early about this disclosure but did not respond in any way.