CISA adds Trend Micro, Langflow

CISA added two software flaws to its Known Exploited Vulnerabilities catalog on May 21, saying the bugs in Trend Micro Apex One and Langflow were being actively exploited. The agency named the issues as CVE-2026-34926 in Trend Micro Apex One on-premise and CVE-2025-34291 in Langflow. CISA said the additions were based on evidence of active exploitation and told federal civilian agencies to remediate them by June 4. The move put a federal deadline on two products that sit in security and application-development workflows, where patching can spill into broader production environments. ### Which flaws did CISA add, exactly? CISA identified CVE-2026-34926 as a directory traversal vulnerability in Trend Micro Apex One on-premise. In the KEV catalog, the agency said a “pre-authenticated local attacker” could modify a key table on the server and inject malicious code to deploy to agents on affected installations. The catalog lists the entry under Trend Micro Apex One, with a date added of May 21 and a due date of June 4. (cisa.gov) CISA identified CVE-2025-34291 as a Langflow origin validation error vulnerability. The agency said an overly permissive CORS configuration, combined with a refresh token cookie set as `SameSite=None`, could let a malicious webpage send credentialed cross-origin requests to the refresh endpoint, obtain tokens and reach authenticated endpoints. CISA said that chain “could allow the attacker to execute arbitrary code and achieve full system compromise.” (cisa.gov) ### Why does a KEV addition matter beyond a new advisory? Binding Operational Directive 22-01 requires Federal Civilian Executive Branch agencies to remediate KEV-listed vulnerabilities by the date CISA sets, and the agency said these vulnerabilities are “frequent attack vectors for malicious cyber actors” that pose significant risks to the federal enterprise. CISA also said it “strongly urges all organizations” to prioritize timely remediation of KEV vulnerabilities as part of vulnerability management, even though the directive formally applies only to federal civilian agencies. (cisa.gov) CISA said this week it had also launched a new online KEV nomination form, alongside its existing email process, to let researchers and organizations submit vulnerabilities they believe are being actively exploited. The agency called the KEV catalog an “authoritative source” of vulnerabilities confirmed as exploited in the wild with clear remediation guidance. (cisa.gov) ### What does Trend Micro say about the Apex One issue? Trend Micro’s bulletin KA-0023430 describes CVE-2026-34926 as a directory traversal vulnerability in Apex One on-premise. The company said a pre-authenticated local attacker could modify a key table on the server to inject malicious code for deployment to agents on affected installations. Trend Micro published the bulletin on May 21, according to the advisory page linked from CISA’s catalog. (cisa.gov) Trend Micro’s advisory page also groups CVE-2026-34926 with another Apex One issue, CVE-2026-34927, and says patches or updates are available. CISA’s KEV entry, however, names only CVE-2026-34926 in this round of additions. ### What is known about the Langflow bug? GitHub’s advisory database says CVE-2025-34291 affects Langflow versions up to and including 1.6.9 and describes it as a chained vulnerability that can lead to account takeover and remote code execution. (cisa.gov) The advisory says the issue stems from permissive CORS settings combined with cookie handling that allows cross-origin requests with credentials. A separate GitHub security advisory for Langflow describes another critical issue, GHSA-vwmf-pq79-vjvx, affecting versions up to 1.8.2 and patched in 1.9.0, but that is distinct from the CVE CISA added on May 21. CISA’s KEV notice and catalog entry specifically reference CVE-2025-34291. ### What happens next, and where should defenders look? (github.com) June 4 is the remediation deadline CISA set for federal agencies for both entries added on May 21. The KEV catalog page lists the due dates and links to vendor or vulnerability references, including Trend Micro’s bulletin for Apex One. Organizations tracking the issue can monitor CISA’s KEV catalog for status and Trend Micro’s advisory page for product-specific guidance. (cisa.gov 1) (cisa.gov 2)