Active attacks on approximately 7,000 internet-exposed Langflow servers were documented on June 19, exploiting CVE-2026-5027 (CVSS 8.8), a path-traversal flaw in the POST /api/v2/files endpoint that allows unauthenticated file writes to arbitrary filesystem paths including system directories (VentureBeat). VulnCheck added the CVE to its actively-exploited list on June 8; the fix shipped in Langflow 1.9.0 on April 15, meaning affected servers have gone unpatched for roughly two months (BackBox.org News). The same reporting disclosed three additional vulnerabilities in LangGraph: CVE-2025-67644 (CVSS 7.3) drops user-controlled filter keys directly into WHERE clauses in the SQLite checkpoint implementation without parameterization; CVE-2026-28277 exploits the msgpack checkpoint decoder to deserialize arbitrary Python objects and call attacker-supplied module functions, enabling remote code execution; and CVE-2026-27022 (CVSS 6.5) reaches the same attack surface through the Redis checkpointer (VentureBeat, BackBox.org News). Fixes are available in langgraph-checkpoint-sqlite 3.0.1, langgraph 1.0.10, and langgraph-checkpoint-redis 1.0.2.
In hardware, Qualcomm is reportedly in advanced talks to acquire Tenstorrent - an AI accelerator startup co-founded by chip architect Jim Keller and focused on RISC-V chiplet designs for AI inference workloads - for between $8 billion and $10 billion (The Register, Data Center Dynamics); no deal has been finalized and terms remain subject to change. On the model side, xAI’s Grok Imagine Video 1.5 reached general availability on June 17, landing at the top of the Image-to-Video Arena leaderboard with a 52-point Elo improvement over version 1.0 (xAI); API pricing at 720p is $4.20 per minute, approximately 86 percent below Sora 2’s listed rate (TechTimes).