Home / Vulnerability Intelligence / CVE-2026-41138

CVE-2026-41138 - Vulnerability Analysis

HighCVSS: 8.3

Last Updated: April 23, 2026

Flowise - Remote Code Execution

Published: April 23, 2026Updated: April 23, 2026Remote Exploitable

Overview

Flowise < 3.1.0 contains a remote code execution caused by lack of input verification in AirtableAgent.ts when using Pandas, letting remote attackers execute arbitrary code via unsanitized user input in the question parameter, exploit requires crafted input.

Severity & Score

Severity: High

CVSS Score: 8.3

Impact

Remote attackers can execute arbitrary code, potentially leading to full system compromise.

Mitigation

Update to version 3.1.0 or later.

References

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-f228-chmx-v6j6

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-41138
Severity: High
CVSS Score: 8.3
Type: command_injection
Status: new

CWE

CWE-94

CVSS Metrics

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L