{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-04T11:03:05.526","vulnerabilities":[{"cve":{"id":"CVE-2026-26013","sourceIdentifier":"security-advisories@github.com","published":"2026-02-10T22:17:00.453","lastModified":"2026-03-17T20:30:07.960","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"LangChain is a framework for building agents and LLM-powered applications. Prior to 1.2.11, the ChatOpenAI.get_num_tokens_from_messages() method fetches arbitrary image_url values without validation when computing token counts for vision-enabled models. This allows attackers to trigger Server-Side Request Forgery (SSRF) attacks by providing malicious image URLs in user input. This vulnerability is fixed in 1.2.11."},{"lang":"es","value":"LangChain es un framework para construir agentes y aplicaciones impulsadas por LLM. Antes de la versión 1.2.11, el método ChatOpenAI.get_num_tokens_from_messages() obtiene valores arbitrarios de image_url sin validación al calcular el recuento de tokens para modelos habilitados para visión. Esto permite a los atacantes desencadenar ataques de falsificación de petición del lado del servidor (SSRF) al proporcionar URLs de imagen maliciosas en la entrada del usuario. Esta vulnerabilidad está corregida en la versión 1.2.11."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L","baseScore":3.7,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"LOW"},"exploitabilityScore":2.2,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-918"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:langchain:langchain_core:*:*:*:*:*:python:*:*","versionEndExcluding":"1.2.11","matchCriteriaId":"5CCC1EB9-D45D-465A-96B4-2E6D1DE724FC"}]}]}],"references":[{"url":"https://github.com/langchain-ai/langchain/commit/2b4b1dc29a833d4053deba4c2b77a3848c834565","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.11","source":"security-advisories@github.com","tags":["Product","Release Notes"]},{"url":"https://github.com/langchain-ai/langchain/security/advisories/GHSA-2g6r-c272-w58r","source":"security-advisories@github.com","tags":["Mitigation","Vendor Advisory"]}]}}]}