Critical Langroid Vulnerability Allows RCE via Prompt Injection

A critical vulnerability (CVE-2026-0257) was discovered in the Langroid Python framework, which allows attackers to bypass input restrictions and perform remote code execution (RCE) via prompt injection. This flaw particularly affects the SQLChatAgent component and could result in severe consequences if exploited, such as executing arbitrary system commands and exfiltrating sensitive data. The vulnerability received a CVSS score of 9.8 due to its high impact on infrastructure security. A security patch is available in Langroid version 0.63.0 and above, introducing an allowlist and blocklist to mitigate the risks.