CISA adds Langflow, Trend Micro Apex One CVEs to KEV Catalog
Both entries trigger BOD 22-01 mandatory remediation deadlines for Federal Civilian Executive Branch agencies; contractors and MSPs on federal systems inherit the same obligation.
TL;DR
CISA added CVE-2025-34291 (Langflow origin validation error) and CVE-2026-34926 (Trend Micro Apex One on-premise directory traversal) to the Known Exploited Vulnerabilities Catalog on May 21, 2026. Federal Civilian Executive Branch agencies must remediate both by CISA-set deadlines under Binding Operational Directive 22-01. Specific due dates were not published in the alert. Contractors and MSPs supporting FCEB systems should add both CVEs to their active vulnerability management queues; the Trend Micro entry's on-premise scope may exclude cloud or SaaS deployments.
CISA added two vulnerabilities to the KEV Catalog based on evidence of active exploitation: CVE-2025-34291, an origin validation error in Langflow, and CVE-2026-34926, a directory traversal vulnerability in Trend Micro Apex One (on-premise). BOD 22-01 requires FCEB agencies to remediate both by their respective catalog due dates. The alert does not publish those dates directly; agencies should consult the catalog entry for each CVE. The Trend Micro entry's explicit on-premise scope is worth noting for organizations running Apex One in hybrid environments, as the mandate's reach to cloud or SaaS variants is not addressed in this alert.
Published ·Updated ·Deep Fathom