{"data":{"id":"1641cc73-d00b-40ea-8d12-90ddd00d4339","title":"CVE-2026-41137: Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent al","summary":"Flowise is a drag-and-drop interface for building customized large language model workflows. Versions before 3.1.0 have a command injection vulnerability (code injection, where attackers can execute arbitrary commands) in the CSVAgent feature because it fails to properly filter user-provided Pandas CSV reading code, allowing attackers to run malicious commands on the server.","solution":"Update to Flowise version 3.1.0 or later, where this vulnerability is fixed.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-41137","publishedAt":"2026-04-23T20:16:14.257Z","cveId":"CVE-2026-41137","cweIds":["CWE-94"],"cvssScore":null,"cvssSeverity":null,"severity":"critical","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["LangChain"],"affectedVendorsRaw":["Flowise","Pandas"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-04-23T20:16:14.257Z","capecIds":["CAPEC-242"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity","availability"],"aiComponentTargeted":"framework","llmSpecific":true,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":["AML.T0010"]}}