CVE-2026-41137: Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent al
criticalvulnerabilityLLM-Specific
security
Summary
Flowise is a drag-and-drop interface for building customized large language model workflows. Versions before 3.1.0 have a command injection vulnerability (code injection, where attackers can execute arbitrary commands) in the CSVAgent feature because it fails to properly filter user-provided Pandas CSV reading code, allowing attackers to run malicious commands on the server.
Solution / Mitigation
Update to Flowise version 3.1.0 or later, where this vulnerability is fixed.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Disclosure Date
April 23, 2026
Classification
Attack Type
Supply Chain
Attack SophisticationModerate
Impact (CIA+S)
confidentialityintegrity
Taxonomy References
Affected Vendors
LangChain
Related Issues
Monthly digest — independent AI security research
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-41137
First tracked: April 24, 2026 at 08:10 AM
Classified by LLM (prompt v3) · confidence: 92%