CISA Adds Two Actively Exploited Vulnerabilities to Known Exploited Vulnerabilities Catalog

The US Cybersecurity and Infrastructure Security Agency (CISA) added two vulnerabilities to its Known Exploited Vulnerabilities catalog: CVE-2026-33017, a code injection flaw in Langflow, an open-source AI workflow framework, and CVE-2026-33634, a supply chain compromise involving embedded malicious code in Aqua Security’s Trivy security scanner. Federal civilian agencies are mandated to remediate these flaws by April 8 and 9, 2026, respectively. Both vulnerabilities have been actively exploited, prompting CISA’s urgent response. Langflow’s flaw enables remote code execution (RCE), while the Trivy issue stems from a supply chain attack. No additional technical details on exploitation methods or attack vectors were provided.