{"data":{"id":"89c39f51-7a38-4d92-a46d-d61f02bf3fae","title":"CVE-2025-59528: Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, Flowise is vu","summary":"Flowise version 3.0.5 has a remote code execution (RCE, where an attacker can run commands on a system they don't own) vulnerability in its CustomMCP node. When users input configuration settings, the software unsafely executes the input as JavaScript code using the Function() constructor without checking if it's safe, allowing attackers to access dangerous system functions like running programs or reading files.","solution":"This issue has been patched in version 3.0.6.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2025-59528","publishedAt":"2025-09-22T20:15:39.530Z","cveId":"CVE-2025-59528","cweIds":["CWE-94"],"cvssScore":"10","cvssSeverity":"critical","severity":"critical","attackType":[],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["LangChain"],"affectedVendorsRaw":["Flowise"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.83004,"patchAvailable":null,"disclosureDate":null,"capecIds":["CAPEC-242"],"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality","integrity","availability"],"aiComponentTargeted":"api","llmSpecific":true,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}