CVE-2025-26319

CRITICAL

FlowiseAI Flowise v2.2.6 was discovered to contain an arbitrary file upload vulnerability in /api/v1/attachments.

CVSS v3.1 Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Complexity

LOW

Privileges

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Published: 3/4/2025Modified: 6/24/2025

Related Intelligence (1)

CRITICALVulnerability

Hackers exploit a critical Flowise flaw affecting thousands of AI workflows

Threat actors have found a way to inject arbitrary JavaScript into the Flowise low-code platform for building custom LLM and agentic systems. The code injection was possible due to a design oversight, rated at max-severity, in the platform’s custom MCP node, which acts as a plug-in connector for an application’s AI agent to talk to external tools via MCP servers. According to a recent VulnCheck al

CVE-2025-59528CVE-2025-8943

2h agoCSO Online

References (2)

https://github.com/dorattias/CVE-2025-26319ExploitPatch https://github.com/dorattias/CVE-2025-26319ExploitPatch