{"data":{"id":"7f2cdab6-751d-4130-a1f3-1e7e6a94dcf4","title":"GHSA-f228-chmx-v6j6: Flowise: Remote code execution vulnerability in AirtableAgent.ts caused by lack of input verification when using `Pandas`.","summary":"Flowise's AirtableAgent has a remote code execution (RCE, where an attacker can run commands on a system they don't own) vulnerability because user input is inserted directly into Python code without sanitization. An attacker can use prompt injection (tricking an AI by hiding instructions in its input) to bypass the intended behavior and execute arbitrary code when the system processes Pandas (a Python library for working with data) operations.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-f228-chmx-v6j6","publishedAt":"2026-04-16T21:43:57.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["prompt_injection"],"issueType":"vulnerability","affectedPackages":["flowise-components@<= 3.0.13 (fixed: 3.1.0)","flowise@<= 3.0.13 (fixed: 3.1.0)"],"affectedVendors":["LangChain"],"affectedVendorsRaw":["Flowise","LangChain","Airtable"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":true,"disclosureDate":"2026-04-16T21:43:57.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["integrity","confidentiality","availability"],"aiComponentTargeted":"agent","llmSpecific":true,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}