RCE in Flowiseai Flowise

CVE-2026-41137

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide a command injection…

Vulnerability class: RCE (Remote Code Execution)

EPSS: 0.004 (62.4th percentile) — read the EPSS interpretation.

Affected products

Flowiseai Flowise — versions < 3.1.0
Flowiseai Flowise-components — versions < 3.1.0

Weakness classification (CWE)

CWE-94 — Code Injection

References

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-9wc7-mj3f-74xv (x_refsource_CONFIRM)