{"data":{"id":"9e1452d8-5767-420e-a4ba-bb2e23b01072","title":"CVE-2026-41268: Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise is vuln","summary":"Flowise, a tool that lets users visually design custom AI workflows, has a critical vulnerability in versions before 3.1.0 that allows attackers to run any system commands they want without logging in. An attacker can exploit this by using a special keyword (FILE-STORAGE::) and injecting code into an environment variable (NODE_OPTIONS) through a single web request, gaining full control of the Flowise system.","solution":"Upgrade Flowise to version 3.1.0 or later, where this vulnerability is fixed.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-41268","publishedAt":"2026-04-23T20:16:15.300Z","cveId":"CVE-2026-41268","cweIds":["CWE-20"],"cvssScore":null,"cvssSeverity":null,"severity":"critical","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["LangChain"],"affectedVendorsRaw":["Flowise"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-04-23T20:16:15.300Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality","integrity","availability"],"aiComponentTargeted":"framework","llmSpecific":true,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":["AML.T0010"]}}