{"id":"PYSEC-2026-375","summary":"LangChain Experimental vulnerable to arbitrary code execution","details":"langchain_experimental (aka LangChain Experimental) before 0.0.52, part of LangChain before 0.1.8, allows an attacker to bypass the CVE-2023-44467 fix and execute arbitrary code via the `__import__`, `__subclasses__`, `__builtins__`, `__globals__`, `__getattribute__`, `__bases__`, `__mro__`, or `__base__` attribute in Python code. These are not prohibited by `pal_chain/base.py`.","aliases":["CVE-2024-27444","GHSA-v8vj-cv27-hjv8"],"modified":"2026-07-01T20:22:55.398529Z","published":"2026-06-29T11:50:40.435355Z","references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-27444"},{"type":"WEB","url":"https://github.com/langchain-ai/langchain/commit/de9a6cdf163ed00adaf2e559203ed0a9ca2f1de7"},{"type":"PACKAGE","url":"https://github.com/langchain-ai/langchain"},{"type":"PACKAGE","url":"https://pypi.org/project/langchain-experimental"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-v8vj-cv27-hjv8"}],"affected":[{"package":{"name":"langchain-experimental","ecosystem":"PyPI","purl":"pkg:pypi/langchain-experimental"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.0.52"}]}],"versions":["0.0.1","0.0.10","0.0.11","0.0.12","0.0.13","0.0.14","0.0.15","0.0.16","0.0.17","0.0.18","0.0.19","0.0.1rc1","0.0.1rc2","0.0.1rc3","0.0.1rc4","0.0.2","0.0.20","0.0.21","0.0.22","0.0.23","0.0.24","0.0.25","0.0.27","0.0.28","0.0.29","0.0.3","0.0.30","0.0.31","0.0.32","0.0.33","0.0.34","0.0.35","0.0.36","0.0.37","0.0.38","0.0.39","0.0.4","0.0.40","0.0.41","0.0.42","0.0.43","0.0.44","0.0.45","0.0.46","0.0.47","0.0.48","0.0.49","0.0.5","0.0.50","0.0.51","0.0.6","0.0.7","0.0.8","0.0.9"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/langchain-experimental/PYSEC-2026-375.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}