CVE-2026-41269: Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the Chatflow co
Summary
Flowise, a tool with a drag-and-drop interface for building customized AI workflows, had a vulnerability before version 3.1.0 where attackers could upload malicious JavaScript files by changing file type settings, even though the user interface normally blocks such uploads. These uploaded files could act as web shells (programs that give attackers control over the server), potentially allowing remote code execution (RCE, where an attacker runs commands on a system they don't own).
Solution / Mitigation
Update Flowise to version 3.1.0 or later, where this vulnerability is fixed.
Vulnerability Details
7.1(high)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
network
low
low
none
April 23, 2026
Classification
Taxonomy References
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-41269
First tracked: April 24, 2026 at 08:10 AM
Classified by LLM (prompt v3) · confidence: 95%