CVE-2026-41274CRITICAL 9.8EPSS p39.1%

CVE-2026-41274CVE-2026-41274

Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GraphCypherQAChain node forwards user-provided input directly into the Cypher query execution pipeline without proper sanitization. An attacker can inject arbitrary Cypher commands that are executed on the underlying Neo4j database, enabling data exfiltration, modification, or deletion. This vulnerability is fixed in 3.1.0.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.50% probability of exploitation · percentile 39.1% · 2026-06-19T12:03:05Z
Published2026-04-23
Last modified2026-05-04

Underlying weaknesses· 1

CWE-943

References

  1. https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-28g4-38q8-3cwc
  2. https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-28g4-38q8-3cwc

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements in Data Query Logiccwe-9430%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-41273
CVE
CVE-2026-41271
CVE
CVE-2026-41137
CVE
CVE-2026-41268
CVE
CVE-2026-41267
CVE
CVE-2026-46478
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.