CVE-2026-41269HIGH 8.8EPSS p37.1%

CVE-2026-41269CVE-2026-41269

Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the Chatflow configuration file upload settings can be modified to allow the application/javascript MIME type. This lets an attacker upload .js files even though the frontend doesn’t normally allow JavaScript uploads. This enables attackers to persistently store malicious Node.js web shells on the server, potentially leading to Remote Code Execution (RCE). This vulnerability is fixed in 3.1.0.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.47% probability of exploitation · percentile 37.1% · 2026-06-19T12:03:05Z
Published2026-04-23
Last modified2026-04-24

Underlying weaknesses· 1

CWE-434

References

  1. https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-rh7v-6w34-w2rr
  2. https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-rh7v-6w34-w2rr

1

TypeTargetConfidenceTier
WeaknessUnrestricted Upload of File with Dangerous Typecwe-4340%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-61687
CVE
CVE-2026-30821
CVE
CVE-2026-41268
CVE
CVE-2026-46442
CVE
CVE-2026-41273
CVE
CVE-2026-31829
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.