Vulnerability-Lookup

CVE-2026-41264 (GCVE-0-2026-41264)

Vulnerability from cvelistv5 – Published: 2026-04-23 20:00 – Updated: 2026-04-23 20:00

Title

Flowise: CSV Agent Prompt Injection Remote Code Execution Vulnerability

Summary

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the CSV_Agents class. The issue results from the lack of proper sandboxing when evaluating an LLM generated python script. An attacker can leverage this vulnerability to execute code in the context of the user running the server. Using prompt injection techniques, an unauthenticated attacker with the ability to send prompts to a chatflow using the CSV Agent node may convince an LLM to respond with a malicious python script that executes attacker controlled commands on the Flowise server. This vulnerability is fixed in 3.1.0.

Severity ?

9.2 (Critical)


                        
                          CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE

CWE-184 - Incomplete List of Disallowed Inputs

Assigner

GitHub_M

References

URL

	Vendor	Product	Version
	FlowiseAI	Flowise	Affected: < 3.1.0

GHSA-3HJV-C53M-58JJ

Vulnerability from github – Published: 2026-04-21 20:19 – Updated: 2026-04-21 20:19

Summary

Flowise: CSV Agent Prompt Injection Remote Code Execution Vulnerability

Details

Abstract

Trend Micro's Zero Day Initiative has identified a vulnerability affecting FlowiseAI Flowise.

Vulnerability Details

Version tested: 3.0.13
Installer file: https://github.com/FlowiseAI/Flowise
Platform tested: Ubuntu 25.10

Analysis

This vulnerability allows remote attackers to execute arbitrary code on affected installations of FlowiseAI Flowise. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the run method of the CSV_Agents class. The issue results from the lack of proper sandboxing when evaluating an LLM-generated Python script. An attacker can leverage this vulnerability to execute code in the context of the user running the server.

Product Information

FlowiseAI Flowise version 3.0.13 — https://github.com/FlowiseAI/Flowise

Setup Instructions

npm install -g flowise@3.0.13
npx flowise start

Root Cause Analysis

FlowiseAI Flowise is an open source low-code tool for developers to build customized large language model (LLM) applications and AI agents. It supports integration with various LLMs, data sources, and tools in order to facilitate rapid development and deployment of AI solutions. Flowise offers a web interface with a drag-and-drop editor, as well as an API, through an Express web server accessible over HTTP on port 3000/TCP.

One such feature of Flowise is the ability to create chatflows. Chatflows use a drag-and-drop editor that allows a developer to place nodes which control how an interaction with an LLM will occur. One such node is the CSV Agent node that represents an Agent used to answer queries on a provided CSV file.

When a user makes a query against a chatflow using the CSV Agent node, the run method of the CSV_Agents class is called. This method first reads the contents of the CSV file passed to the node and converts it to a base64 string. It then sets up a pyodide environment and creates a Python script to be executed in this environment. This Python script uses pandas to extract the column names and their types from the provided CSV file. The method then creates a system prompt for an LLM using this data as follows:

You are working with a pandas dataframe in Python. The name of the dataframe is df.

The columns and data types of a dataframe are given below as a Python dictionary with keys showing column names and values showing the data types.
{dict}

I will ask question, and you will output the Python code using pandas dataframe to answer my question. Do not provide any explanations. Do not respond with anything except the output of the code.

Security: Output ONLY pandas/numpy operations on the dataframe (df). Do not use import, exec, eval, open, os, subprocess, or any other system or file operations. The code will be validated and rejected if it contains such constructs.

Question: {question}
Output Code:

Where {dict} is the extracted column names and {question} is the initial prompt provided by the user.

This system prompt is sent to an LLM in order for it to generate a Python script based on the user's prompt, and the LLM-generated response is stored in a variable named pythonCode. The method then evaluates the pythonCode variable in a pyodide environment.

While the LLM-generated Python script is evaluated in a non-sandboxed environment, there is a list of forbidden patterns that are checked before the script is executed on the server. The function validatePythonCodeForDataFrame() enumerates through a list named FORBIDDEN_PATTERNS, which contains pairs of regex patterns and reasons. Each regex pattern is run against the Python script, and if the pattern is found in the script, the script is invalidated and is not run, responding to the request with a reason for rejection.

The input validation can be bypassed, which can still lead to running arbitrary OS commands on the server. An example of this is the pattern /\bimport\s+(?!pandas|numpy\b)/g, which intends to search for lines of code that import a module other than pandas or numpy. This can be bypassed by importing along with pandas or numpy. For example, consider the following lines of code:

import pandas as np, os as pandas
pandas.system("xcalc")

Here, pandas is imported, but so is the os module, with pandas as its alias. OS commands can then be invoked with pandas.system().

Using prompt injection techniques, an unauthenticated attacker with the ability to send prompts to a chatflow using the CSV Agent node may convince an LLM to respond with a malicious Python script that executes attacker-controlled commands on the Flowise server.

It is also possible for an authenticated attacker to exploit this vulnerability by specifying an attacker-controlled server in a chatflow. This server would respond to prompts with an attacker-controlled Python script instead of an LLM-generated response, which would then be evaluated on the server.

Relevant Source Code

`packages/components/nodes/agents/CSVAgent/core.ts`

```ts import type { PyodideInterface } from 'pyodide' import * as path from 'path' import { getUserHome } from '../../../src/utils'

let pyodideInstance: PyodideInterface | undefined

export async function LoadPyodide(): Promise { if (pyodideInstance === undefined) { const { loadPyodide } = await import('pyodide') const obj: any = { packageCacheDir: path.join(getUserHome(), '.flowise', 'pyodideCacheDir') } pyodideInstance = await loadPyodide(obj) await pyodideInstance.loadPackage(['pandas', 'numpy']) }

return pyodideInstance

}

export const systemPrompt = `You are working with a pandas dataframe in Python. The name of the dataframe is df.

The columns and data types of a dataframe are given below as a Python`*

Severity ?

9.2 (Critical)


                  
                    CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.13"
      },
      "package": {
        "ecosystem": "npm",
        "name": "flowise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.13"
      },
      "package": {
        "ecosystem": "npm",
        "name": "flowise-components"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41264"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-184"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-21T20:19:52Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "## Abstract\n\nTrend Micro\u0027s Zero Day Initiative has identified a vulnerability affecting FlowiseAI Flowise.\n\n## Vulnerability Details\n\n- **Version tested:** 3.0.13\n- **Installer file:** https://github.com/FlowiseAI/Flowise\n- **Platform tested:** Ubuntu 25.10\n\n## Analysis\n\nThis vulnerability allows remote attackers to execute arbitrary code on affected installations of FlowiseAI Flowise. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the `run` method of the `CSV_Agents` class. The issue results from the lack of proper sandboxing when evaluating an LLM-generated Python script. An attacker can leverage this vulnerability to execute code in the context of the user running the server.\n\n### Product Information\n\nFlowiseAI Flowise version 3.0.13 \u2014 https://github.com/FlowiseAI/Flowise\n\n### Setup Instructions\n\n```bash\nnpm install -g flowise@3.0.13\nnpx flowise start\n```\n\n### Root Cause Analysis\n\nFlowiseAI Flowise is an open source low-code tool for developers to build customized large language model (LLM) applications and AI agents. It supports integration with various LLMs, data sources, and tools in order to facilitate rapid development and deployment of AI solutions. Flowise offers a web interface with a drag-and-drop editor, as well as an API, through an Express web server accessible over HTTP on port 3000/TCP.\n\nOne such feature of Flowise is the ability to create chatflows. Chatflows use a drag-and-drop editor that allows a developer to place nodes which control how an interaction with an LLM will occur. One such node is the CSV Agent node that represents an Agent used to answer queries on a provided CSV file.\n\nWhen a user makes a query against a chatflow using the CSV Agent node, the `run` method of the `CSV_Agents` class is called. This method first reads the contents of the CSV file passed to the node and converts it to a base64 string. It then sets up a pyodide environment and creates a Python script to be executed in this environment. This Python script uses pandas to extract the column names and their types from the provided CSV file. The method then creates a system prompt for an LLM using this data as follows:\n\n```\nYou are working with a pandas dataframe in Python. The name of the dataframe is df.\n\nThe columns and data types of a dataframe are given below as a Python dictionary with keys showing column names and values showing the data types.\n{dict}\n\nI will ask question, and you will output the Python code using pandas dataframe to answer my question. Do not provide any explanations. Do not respond with anything except the output of the code.\n\nSecurity: Output ONLY pandas/numpy operations on the dataframe (df). Do not use import, exec, eval, open, os, subprocess, or any other system or file operations. The code will be validated and rejected if it contains such constructs.\n\nQuestion: {question}\nOutput Code:\n```\n\nWhere `{dict}` is the extracted column names and `{question}` is the initial prompt provided by the user.\n\nThis system prompt is sent to an LLM in order for it to generate a Python script based on the user\u0027s prompt, and the LLM-generated response is stored in a variable named `pythonCode`. The method then evaluates the `pythonCode` variable in a pyodide environment.\n\nWhile the LLM-generated Python script is evaluated in a non-sandboxed environment, there is a list of forbidden patterns that are checked before the script is executed on the server. The function `validatePythonCodeForDataFrame()` enumerates through a list named `FORBIDDEN_PATTERNS`, which contains pairs of regex patterns and reasons. Each regex pattern is run against the Python script, and if the pattern is found in the script, the script is invalidated and is not run, responding to the request with a reason for rejection.\n\nThe input validation can be bypassed, which can still lead to running arbitrary OS commands on the server. An example of this is the pattern `/\\bimport\\s+(?!pandas|numpy\\b)/g`, which intends to search for lines of code that import a module other than pandas or numpy. This can be bypassed by importing along with pandas or numpy. For example, consider the following lines of code:\n\n```python\nimport pandas as np, os as pandas\npandas.system(\"xcalc\")\n```\n\nHere, pandas is imported, but so is the `os` module, with `pandas` as its alias. OS commands can then be invoked with `pandas.system()`.\n\nUsing prompt injection techniques, an unauthenticated attacker with the ability to send prompts to a chatflow using the CSV Agent node may convince an LLM to respond with a malicious Python script that executes attacker-controlled commands on the Flowise server.\n\nIt is also possible for an authenticated attacker to exploit this vulnerability by specifying an attacker-controlled server in a chatflow. This server would respond to prompts with an attacker-controlled Python script instead of an LLM-generated response, which would then be evaluated on the server.\n\n### Relevant Source Code\n\n#### `packages/components/nodes/agents/CSVAgent/core.ts`\n\n```ts\nimport type { PyodideInterface } from \u0027pyodide\u0027\nimport * as path from \u0027path\u0027\nimport { getUserHome } from \u0027../../../src/utils\u0027\n\nlet pyodideInstance: PyodideInterface | undefined\n\nexport async function LoadPyodide(): Promise\u003cPyodideInterface\u003e {\n    if (pyodideInstance === undefined) {\n        const { loadPyodide } = await import(\u0027pyodide\u0027)\n        const obj: any = { packageCacheDir: path.join(getUserHome(), \u0027.flowise\u0027, \u0027pyodideCacheDir\u0027) }\n        pyodideInstance = await loadPyodide(obj)\n        await pyodideInstance.loadPackage([\u0027pandas\u0027, \u0027numpy\u0027])\n    }\n\n    return pyodideInstance\n}\n\nexport const systemPrompt = `You are working with a pandas dataframe in Python. The name of the dataframe is df.\n\nThe columns and data types of a dataframe are given below as a Python`*",
  "id": "GHSA-3hjv-c53m-58jj",
  "modified": "2026-04-21T20:19:52Z",
  "published": "2026-04-21T20:19:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-3hjv-c53m-58jj"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/FlowiseAI/Flowise"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Flowise: CSV Agent Prompt Injection Remote Code Execution Vulnerability"
}

FKIE_CVE-2026-41264

Vulnerability from fkie_nvd - Published: 2026-04-23 20:16 - Updated: 2026-04-23 20:16

Severity ?

9.2 (Critical) - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-3hjv-c53m-58jj

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Flowise is a drag \u0026 drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the CSV_Agents class. The issue results from the lack of proper sandboxing when evaluating an LLM generated python script. An attacker can leverage this vulnerability to execute code in the context of the user running the server. Using prompt injection techniques, an unauthenticated attacker with the ability to send prompts to a chatflow using the CSV Agent node may convince an LLM to respond with a malicious python script that executes attacker controlled commands on the Flowise server. This vulnerability is fixed in 3.1.0."
    }
  ],
  "id": "CVE-2026-41264",
  "lastModified": "2026-04-23T20:16:14.750",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "HIGH",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 9.2,
          "baseSeverity": "CRITICAL",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-04-23T20:16:14.750",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-3hjv-c53m-58jj"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-184"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

WID-SEC-W-2026-1145

Vulnerability from csaf_certbund - Published: 2026-04-15 22:00 - Updated: 2026-04-21 22:00

Summary

Flowise: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Flowise ist eine Benutzeroberfläche zur Erstellung von LLMs (Large Language Model).

Angriff: Ein Angreifer kann mehrere Schwachstellen in Flowise ausnutzen, um beliebigen Programmcode auszuführen, um Sicherheitsvorkehrungen zu umgehen, um Informationen offenzulegen, und um Dateien zu manipulieren.

Betroffene Betriebssysteme: - Linux - UNIX

CVE-2026-41264

References

URL

Category

	https://wid.cert-bund.de/.well-known/csaf/white/2…	self
	https://wid.cert-bund.de/portal/wid/securityadvis…	self
	https://github.com/FlowiseAI/Flowise/security/adv…	external
	https://github.com/FlowiseAI/Flowise/security/adv…	external
	https://github.com/FlowiseAI/Flowise/security/adv…	external
	https://github.com/FlowiseAI/Flowise/security/adv…	external
	https://github.com/FlowiseAI/Flowise/security/adv…	external
	https://github.com/FlowiseAI/Flowise/security/adv…	external
	https://github.com/FlowiseAI/Flowise/security/adv…	external
	https://github.com/FlowiseAI/Flowise/security/adv…	external
	https://github.com/FlowiseAI/Flowise/security/adv…	external
	https://github.com/FlowiseAI/Flowise/security/adv…	external
	https://github.com/FlowiseAI/Flowise/security/adv…	external
	https://github.com/FlowiseAI/Flowise/security/adv…	external
	https://github.com/FlowiseAI/Flowise/security/adv…	external
	https://github.com/FlowiseAI/Flowise/security/adv…	external
	https://github.com/FlowiseAI/Flowise/security/adv…	external
	https://github.com/FlowiseAI/Flowise/security/adv…	external
	https://github.com/FlowiseAI/Flowise/security/adv…	external
	https://github.com/FlowiseAI/Flowise/security/adv…	external
	https://github.com/FlowiseAI/Flowise/security/adv…	external
	https://github.com/FlowiseAI/Flowise/security/adv…	external
	https://github.com/FlowiseAI/Flowise/security/adv…	external
	https://github.com/FlowiseAI/Flowise/security/adv…	external
	https://github.com/FlowiseAI/Flowise/security/adv…	external
	https://github.com/FlowiseAI/Flowise/security/adv…	external
	https://github.com/FlowiseAI/Flowise/security/adv…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Flowise ist eine Benutzeroberfl\u00e4che zur Erstellung von LLMs (Large Language Model).",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in Flowise ausnutzen, um beliebigen Programmcode auszuf\u00fchren, um Sicherheitsvorkehrungen zu umgehen, um Informationen offenzulegen, und um Dateien zu manipulieren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- UNIX",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-1145 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1145.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-1145 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1145"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-28g4-38q8-3cwc vom 2026-04-15",
        "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-28g4-38q8-3cwc"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-2qqc-p94c-hxwh vom 2026-04-15",
        "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-2qqc-p94c-hxwh"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-2x8m-83vc-6wv4 vom 2026-04-15",
        "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-2x8m-83vc-6wv4"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-3hjv-c53m-58jj vom 2026-04-15",
        "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-3hjv-c53m-58jj"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-3prp-9gf7-4rxx vom 2026-04-15",
        "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-3prp-9gf7-4rxx"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-48m6-ch88-55mj vom 2026-04-15",
        "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-48m6-ch88-55mj"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-4jpm-cgx2-8h37 vom 2026-04-15",
        "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-4jpm-cgx2-8h37"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-5fw2-mwhh-9947 vom 2026-04-15",
        "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-5fw2-mwhh-9947"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-6f7g-v4pp-r667 vom 2026-04-15",
        "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-6f7g-v4pp-r667"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-6pcv-j4jx-m4vx vom 2026-04-15",
        "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-6pcv-j4jx-m4vx"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-6r77-hqx7-7vw8 vom 2026-04-15",
        "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-6r77-hqx7-7vw8"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-9hrv-gvrv-6gf2 vom 2026-04-15",
        "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-9hrv-gvrv-6gf2"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-9wc7-mj3f-74xv vom 2026-04-15",
        "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-9wc7-mj3f-74xv"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-c9gw-hvqq-f33r vom 2026-04-15",
        "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-c9gw-hvqq-f33r"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-cc4f-hjpj-g9p8 vom 2026-04-15",
        "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-cc4f-hjpj-g9p8"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-cvrr-qhgw-2mm6 vom 2026-04-15",
        "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-cvrr-qhgw-2mm6"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-f228-chmx-v6j6 vom 2026-04-15",
        "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-f228-chmx-v6j6"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-f6hc-c5jr-878p vom 2026-04-15",
        "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-f6hc-c5jr-878p"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-m7mq-85xj-9x33 vom 2026-04-15",
        "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-m7mq-85xj-9x33"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-qqvm-66q4-vf5c vom 2026-04-15",
        "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-qqvm-66q4-vf5c"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-v38x-c887-992f vom 2026-04-15",
        "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-v38x-c887-992f"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-w47f-j8rh-wx87 vom 2026-04-15",
        "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-w47f-j8rh-wx87"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-w6v6-49gh-mc9w vom 2026-04-15",
        "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-w6v6-49gh-mc9w"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-x5w6-38gp-mrqh vom 2026-04-15",
        "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-x5w6-38gp-mrqh"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-xhmj-rg95-44hv vom 2026-04-15",
        "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-xhmj-rg95-44hv"
      }
    ],
    "source_lang": "en-US",
    "title": "Flowise: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-04-21T22:00:00.000+00:00",
      "generator": {
        "date": "2026-04-22T07:05:04.687+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.5.0"
        }
      },
      "id": "WID-SEC-W-2026-1145",
      "initial_release_date": "2026-04-15T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-04-15T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-04-21T22:00:00.000+00:00",
          "number": "2",
          "summary": "CVE erg\u00e4nzt"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c3.1.0",
                "product": {
                  "name": "Open Source Flowise \u003c3.1.0",
                  "product_id": "T052908"
                }
              },
              {
                "category": "product_version",
                "name": "3.1.0",
                "product": {
                  "name": "Open Source Flowise 3.1.0",
                  "product_id": "T052908-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:flowiseai:flowise:3.1.0"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Flowise"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-41264",
      "product_status": {
        "known_affected": [
          "T052908"
        ]
      },
      "release_date": "2026-04-15T22:00:00.000+00:00",
      "title": "CVE-2026-41264"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-41264 (GCVE-0-2026-41264)

GHSA-3HJV-C53M-58JJ

Abstract

Vulnerability Details

Analysis

Product Information

Setup Instructions

Root Cause Analysis

Relevant Source Code

packages/components/nodes/agents/CSVAgent/core.ts

FKIE_CVE-2026-41264

WID-SEC-W-2026-1145

Tags

Sightings

Nomenclature

`packages/components/nodes/agents/CSVAgent/core.ts`