CISA adds Langflow, Trend Micro flaws to KEV Catalog
Federal agencies face mandatory remediation under BOD 22-01.
TL;DR
CISA added two vulnerabilities to the Known Exploited Vulnerabilities Catalog on May 21: CVE-2025-34291, an origin validation error in Langflow, and CVE-2026-34926, a directory traversal in Trend Micro Apex One. Both are under active exploitation. FCEB agencies must remediate by CISA's assigned due dates under BOD 22-01; contractors supporting federal systems are strongly urged to do the same. The alert does not specify the remediation deadlines.
Langflow is an open-source AI workflow builder deployed across federal AI/ML pipelines, and Trend Micro Apex One is a common endpoint security product in government environments. KEV Catalog inclusion means CISA has confirmed active exploitation, not merely a proof of concept or a vendor advisory. The two CVEs join a catalog that has grown steadily since BOD 22-01 took effect in November 2021; a routine addition of this kind typically triggers a 14- to 21-day remediation window once the due dates post. Check the KEV Catalog directly for the specific deadlines, which CISA usually publishes within 24 hours of the alert.
Published ·Updated ·Deep Fathom