Path-traversal vulnerability CVE-2026-5027 in Langflow enables remote code execution and is actively exploited, though a patch has been available since April.