AI Threat Alert AI Threat Alert

CVE-2026-41269

HIGH
Published April 23, 2026

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the Chatflow configuration file upload settings can be modified to allow the application/javascript MIME type. This lets an attacker upload .js files even though the frontend doesn’t normally...

Full CISO analysis pending enrichment.

Severity & Risk

CVSS 3.1
7.1 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
N/A

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C Low
I High
A None

Recommended Action

No patch available

Monitor for updates. Consider compensating controls or temporary mitigations.

Compliance Impact

Compliance analysis pending. Sign in for full compliance mapping when available.

Frequently Asked Questions

What is CVE-2026-41269?

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the Chatflow configuration file upload settings can be modified to allow the application/javascript MIME type. This lets an attacker upload .js files even though the frontend doesn’t normally allow JavaScript uploads. This enables attackers to persistently store malicious Node.js web shells on the server, potentially leading to Remote Code Execution (RCE). This vulnerability is fixed in 3.1.0

Is CVE-2026-41269 actively exploited?

No confirmed active exploitation of CVE-2026-41269 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-41269?

No patch is currently available. Monitor vendor advisories for updates.

What is the CVSS score for CVE-2026-41269?

CVE-2026-41269 has a CVSS v3.1 base score of 7.1 (HIGH).

Technical Details

NVD Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the Chatflow configuration file upload settings can be modified to allow the application/javascript MIME type. This lets an attacker upload .js files even though the frontend doesn’t normally allow JavaScript uploads. This enables attackers to persistently store malicious Node.js web shells on the server, potentially leading to Remote Code Execution (RCE). This vulnerability is fixed in 3.1.0.

Weaknesses (CWE)

CWE-434 Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

References

Timeline

Published
April 23, 2026
Last Modified
April 23, 2026
First Seen
April 23, 2026
Back to Threat Feed