Home / Vulnerability Intelligence / CVE-2026-41137

CVE-2026-41137 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: April 24, 2026

Flowise - Command Injection

Published: April 23, 2026Updated: April 24, 2026PoC AvailableRemote Exploitable

Overview

Flowise prior to 3.1.0 contains a command injection caused by lack of sanitization in custom Pandas CSV read code in CSVAgent, letting attackers execute arbitrary commands on the server, exploit requires attacker to provide malicious CSV read code.

Severity & Score

Severity: High

CVSS Score: 8.8

Impact

Attackers can execute arbitrary commands on the server, potentially leading to full system compromise.

Mitigation

Update to version 3.1.0 or later.

References

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-9wc7-mj3f-74xv

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-41137
Severity: High
CVSS Score: 8.8
Type: command_injection
Status: confirmed

CWE

CWE-94

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H