CVE-2026-41137

EUVD-2026-25277
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide a command injection payload that will get interpolated and executed by the server. This vulnerability is fixed in 3.1.0.
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
flowiseaiflowise
𝑥
< 3.1.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-9wc7-mj3f-74xv
https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-9wc7-mj3f-74xv