AI Threat Alert AI Threat Alert

CVE-2026-41137

UNKNOWN
Published April 23, 2026

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide a command injection payload that will get interpolated and executed by the...

Full CISO analysis pending enrichment.

Severity & Risk

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
N/A

Recommended Action

No patch available

Monitor for updates. Consider compensating controls or temporary mitigations.

Compliance Impact

Compliance analysis pending. Sign in for full compliance mapping when available.

Frequently Asked Questions

What is CVE-2026-41137?

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide a command injection payload that will get interpolated and executed by the server. This vulnerability is fixed in 3.1.0.

Is CVE-2026-41137 actively exploited?

No confirmed active exploitation of CVE-2026-41137 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-41137?

No patch is currently available. Monitor vendor advisories for updates.

What is the CVSS score for CVE-2026-41137?

No CVSS score has been assigned yet.

Technical Details

NVD Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide a command injection payload that will get interpolated and executed by the server. This vulnerability is fixed in 3.1.0.

Weaknesses (CWE)

CWE-94

References

Timeline

Published
April 23, 2026
Last Modified
April 23, 2026
First Seen
April 23, 2026
Back to Threat Feed