After two quiet mornings, three moderate advisories worth a version check — all in the LLM application layer. LangGraph shipped two fixes on the same day, and the louder of the pair sits in the checkpoint persistence layer: an untrusted-deserialization flaw that can reach code execution if someone can tamper with your stored graph state. The third is closer to home for anyone reading this in a terminal — a temp-file bug in Claude Code's /copy command, patched in 2.1.128.

Worth your morning

langgraph-checkpoint (CVE-2026-48775). The checkpoint store is where LangGraph persists graph state between steps — and JsonPlusSerializer can reconstruct unexpected Python objects when it loads that state back. Anyone able to write to your checkpoint backend — a shared Postgres, Redis, or file store — could get code execution the next time the state is read. CVSS 6.8, moderate because it assumes write access to the persisted store rather than a remote drive-by. Fixed in 4.1.1; upgrade, and treat the checkpoint backend as a trust boundary.

@anthropic-ai/claude-code (CVE-2026-46406). The /copy command wrote its output to a predictable temp-file path. On a shared machine that cuts two ways: another local user could read what you copied, and a symlink pre-planted at that path could redirect the write to clobber a file you own. Local-only and moderate (4.4), but if you run Claude Code on a multi-user box, get to 2.1.128. The companion langgraph-sdk fix (CVE-2026-48776, 4.2) is lower stakes — unsanitized identifiers slipping into URL paths let a caller reach resources outside its authorization scope — but it ships in the same upgrade window, so take it while you're there.