CVE-2025-59528: Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, Flowise is vu
Summary
Flowise version 3.0.5 has a remote code execution (RCE, where an attacker can run commands on a system they don't own) vulnerability in its CustomMCP node. When users input configuration settings, the software unsafely executes the input as JavaScript code using the Function() constructor without checking if it's safe, allowing attackers to access dangerous system functions like running programs or reading files.
Solution / Mitigation
This issue has been patched in version 3.0.6.
Vulnerability Details
10(critical)
EPSS: 83.0%
Classification
Affected Vendors
Related Issues
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
Original source: https://nvd.nist.gov/vuln/detail/CVE-2025-59528
First tracked: February 15, 2026 at 08:53 PM
Classified by LLM (prompt v3) · confidence: 95%