An 8.8-severity flaw in Langflow — the open-source platform thousands use to build AI applications — is being exploited in the wild. There is no patch. The maintainers have not answered a disclosure attempt since January. This is what the AI gold rush is actually built on.
The vulnerability itself is almost boring: CVE-2026-5027, a path traversal in Langflow's file-upload endpoint that doesn't sanitise the filename parameter, letting an attacker write files to arbitrary locations on the filesystem — the classic ../ trick, CVSS 8.8, now under active exploitation according to VulnCheck. What elevates it to a lead story is everything around it.
Tenable, which found the flaw, says it tried to reach the project's maintainers three times across January and February before going public in late March. Silence. It is now mid-June: the vulnerability is being exploited in the wild and there is still no patch. Langflow isn't an obscure library — it's one of the most popular low-code platforms for assembling AI applications, the kind of tool that sits in the build pipeline of countless startups racing to ship "AI-powered" products this quarter.
The critical reading: this is the xz-utils lesson refusing to be learned, with an AI accent. Venture capital prices the application layer; nobody prices maintenance. When a project this widely deployed can go silent for five months with a known, exploitable, unauthenticated file-write bug, "open source supply chain risk" stops being a compliance checkbox and becomes a live operational question. If Langflow is anywhere in your stack: take it off the public internet today, firewall the API, and treat any exposed instance as potentially compromised — file-write primitives rarely stay file-write primitives for long.
Black Lotus Labs is warning of a "resurgence and expansion" of JDY, a covert network of more than 1,500 compromised SOHO routers, firewalls and IoT devices operating as a centrally controlled, high-performance scanner — discovering, fingerprinting and continuously mapping exposed services at scale. The lineage matters: JDY emerged as a cluster within KV-botnet, the infrastructure used by Volt Typhoon, the China-nexus group that pre-positions inside critical infrastructure. The US government took KV-botnet down in early 2024. The operators adapted, went quiet, and rebuilt.
Read this next to today's lead and the picture is uncomfortable in a specific way: JDY is the reconnaissance layer. A botnet that continuously maps exposed services pairs very naturally with a world where unpatched, actively exploitable flaws sit in public for months. One side builds the target list; the other side is the target list. Your perimeter devices — the routers and firewalls nobody updates — are not the things being protected. Increasingly, they are the things doing the scanning.
The University of Nottingham confirmed a hacking group gained access to its student records system, affecting current students and alumni. Universities keep getting hit for the same structural reason: they hold bank-grade personal data behind academia-grade budgets, spread across decades of legacy systems and thousands of loosely managed accounts. The alumni detail is the part to sit with — your data outlives your relationship with every institution that ever collected it.
Closing the arc this brief has tracked since Day 004: industry veterans including Kevin Mandia and Alex Stamos are now saying plainly that AI is finding bugs faster than anyone can fix them, and that exploit development is accelerating beyond most organisations' capacity to respond. Meanwhile, governments and financial institutions are reviewing the risks of advanced models that have already surfaced thousands of vulnerabilities — capability impressive enough to be deliberately restricted over misuse concerns.
Put the week in one sentence: discovery is automated (Day 004's record Patch Tuesday), the gap is public (Day 005's RoguePlanet PoC), the scaffolding is unmaintained (today's Langflow), and the people who built modern incident response are saying the fix side has lost the race's current lap. The honest conclusion isn't despair — it's that defence has to automate the way offence already has, and that "we patch quarterly" is now a threat-model confession.