Two more entries hit the Known Exploited Vulnerabilities catalog on May 21. CVE-2025-34291 is an origin validation flaw in Langflow — the Python-based AI workflow builder that's become a fixture in internal tooling stacks — while CVE-2026-34926 is a directory traversal in Trend Micro Apex One, a product that turns up in enough enterprise endpoints to make this a broad concern. Both carry active-exploitation confirmations, which is CISA's bar for KEV inclusion. Federal agencies have a mandatory remediation deadline under BOD 22-01; everyone else should treat that deadline as a reasonable target rather than someone else's problem.