Two CISA KEV additions under active exploitation — Trend Micro Apex One and Langflow

If you did nothing this week: if you run Apex One On-Premise, your endpoint-management server can push attacker code to every managed agent; if you run Langflow, a cross-origin request can steal a session. CISA added both to KEV on 2026-05-21 with confirmed in-the-wild exploitation.

CVE-2026-34926 (Apex One On-Premise, CVSS 6.7) is a post-auth relative-path-traversal flaw in builds below 17079 that lets an admin-credential holder inject code which the management server then deploys fleet-wide to all managed agents — turning the security console into a malware distribution point; JPCERT/CC issued at260014 corroborating. CVE-2025-34291 (Langflow ≤ 1.6.9, CVSS 9.4) is an overly-permissive CORS configuration combined with a SameSite=None refresh token that enables cross-origin token theft, exploited by the Flodric botnet. Patch both; for Apex One, restrict management-console access and audit agent-deployment jobs for unexpected packages.