Is CVE-2026-28277 in the CISA Known Exploited Vulnerabilities catalog?

CVE-2026-28277 is not currently listed in the CISA KEV catalog.

Vulnerability intelligence

CVE-2026-28277

SQL injection in the SQLite checkpointer. Unsafe msgpack deserialization. Chain them together and you own the server. 46.5 million monthly downloads. Every self-hosted AI agent deployment using LangGraph's default checkpointer was vulnerable.

2026

What WebPulse reported · 1 analysis

LangGraph: The AI Agent Framework with 46 Million Downloads Has a Remote Code Execution Chain

SQL injection in the SQLite checkpointer. Unsafe msgpack deserialization. Chain them together and you own the server. 46.5 million monthly downloads. Every self

June 13, 2026

View CVE-2026-28277 on the NIST National Vulnerability Database →

Related vulnerabilities

CVE-2026-9082 CVE-2026-8206 CVE-2026-48019 CVE-2026-35273 CVE-2026-11645 CVE-2026-8181 CVE-2026-47291 CVE-2026-45657