An unpatched, already-exploited Remote Code Execution in Langflow (CVE-2026-5027) enables unauthenticated file-write attacks with no available patch.