{"data":{"id":"e2f0ed54-f2bf-4959-bc2b-50193b6e54ce","title":"CVE-2026-40933: Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, due to unsafe s","summary":"Flowise, a tool with a visual interface for building customized AI flows, has a vulnerability before version 3.1.0 where authenticated attackers can execute arbitrary commands on the server. The flaw exists in the MCP (model context protocol) adapter's handling of stdio commands, where input sanitization checks fail to prevent attackers from combining safe commands like \"npx\" with code execution arguments to run malicious commands on the underlying operating system.","solution":"Update Flowise to version 3.1.0 or later, where this vulnerability is fixed.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-40933","publishedAt":"2026-04-21T22:16:19.383Z","cveId":"CVE-2026-40933","cweIds":["CWE-78"],"cvssScore":"9.9","cvssSeverity":"critical","severity":"critical","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["LangChain"],"affectedVendorsRaw":["Flowise"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","attackVector":"network","attackComplexity":"low","privilegesRequired":"low","userInteraction":"none","exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-04-21T22:16:19.383Z","capecIds":["CAPEC-88"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality","availability"],"aiComponentTargeted":"framework","llmSpecific":true,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":["AML.T0010"]}}