Langflow CRITICAL: Active Users Can Execute Arbitrary Server-Side Code via Custom Component Upload

A critical security flaw in the Langflow platform grants authenticated 'active users' the ability to upload and execute arbitrary Python code directly on the server. The vulnerability, classified as CWE-94 Code Injection with a CVSS score of 8.8 (High), resides in the `custom_component` API endpoint. This endpoint accepts raw Python code from users and, without proper sandboxing or code review, executes it server-side during the component build process, enabling remote code execution (RCE).

The affected code is located in `src/backend/base/langflow/api/v1/endpoints.py` at line 1012 within the `custom_component` function. The endpoint `POST /api/v1/custom_component` uses the `Component` class to build and execute user-supplied code, passed via the `raw_code.code` parameter. The only authentication requirement is that the user has 'active user' status, a relatively low barrier that significantly widens the potential attack surface.

This vulnerability represents a severe breach of the application's security boundary, allowing any compromised or malicious active account to potentially take full control of the underlying server. The lack of sandboxing or validation for the uploaded code means attackers could install malware, exfiltrate sensitive data, or pivot to other systems within the network. The exposure is immediate for any instance where this endpoint is publicly accessible and user registration is enabled.