CVE-2026-41269 - Vulnerability Analysis
HighCVSS: 7.1Last Updated: April 24, 2026
Flowise - Unrestricted File Upload
Published: April 23, 2026Updated: April 24, 2026PoC AvailableRemote Exploitable
Overview
Flowise < 3.1.0 contains an unrestricted file upload vulnerability caused by improper MIME type validation in Chatflow configuration file upload settings, letting attackers upload malicious .js files and persistently store Node.js web shells, exploit requires file upload capability.
Severity & Score
Severity: High
CVSS Score: 7.1
Impact
Attackers can upload malicious files leading to persistent remote code execution on the server.
Mitigation
Update to version 3.1.0 or later.
Related Resources
Details
- CVE ID
- CVE-2026-41269
- Severity
- High
- CVSS Score
- 7.1
- Type
- unrestricted_file_upload
- Status
- modified
CWE
- CWE-434
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N