Agents
CISA Adds Langflow RCE (CVE-2026-33017) and Trivy Supply Chain (CVE-2026-33634) to Known Exploited Vulnerabilities Catalog
CISA added two critical AI toolchain CVEs to its KEV catalog on March 25-26: Langflow CVE-2026-33017, a code injection flaw in v1.8.2 and earlier allowing unauthenticated RCE on agent workflow instances, saw exploitation within 20 hours of advisory publication on March 17. Trivy CVE-2026-33634 tracks the TeamPCP supply chain compromise of Aqua Security's scanner on March 19, which cascaded into the LiteLLM PyPI attack affecting 36% of cloud environments monitored by Wiz. Federal agencies face an April 8-9 remediation deadline.
↳ Follow the thread