Langflow carries the highest-priority item in this rollup: CVE-2026-33017 is a CVSS 9.8 unauthenticated RCE vulnerability confirmed on CISA’s KEV catalog with active exploitation and attacker dwell times as short as 20 hours post-exposure. Any internet-facing Langflow instance should be treated as potentially compromised and isolated immediately. Apply the official patch from the Langflow GitHub release channel and rotate all credentials and API keys accessible to the Langflow service account before restoring network access.