CVE-2026-41137HIGH 8.8EPSS p69.9%

CVE-2026-41137CVE-2026-41137

Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide a command injection payload that will get interpolated and executed by the server. This vulnerability is fixed in 3.1.0.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS1.45% probability of exploitation · percentile 69.9% · 2026-06-18T12:00:27Z
Published2026-04-23
Last modified2026-04-24

Underlying weaknesses· 1

CWE-94

References

  1. https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-9wc7-mj3f-74xv
  2. https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-9wc7-mj3f-74xv

1

TypeTargetConfidenceTier
WeaknessImproper Control of Generation of Code ('Code Injection')cwe-940%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-41264
CVE
CVE-2026-41138
CVE
CVE-2026-41274
CVE
CVE-2026-41265
CVE
CVE-2025-61913
CVE
CVE-2026-41271
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.