Home / Vulnerability Intelligence / CVE-2026-41265

CVE-2026-41265 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: April 24, 2026

Flowise - Command Injection

Published: April 23, 2026Updated: April 24, 2026PoC AvailableRemote Exploitable

Overview

Flowise < 3.1.0 contains a command injection caused by lack of proper sandboxing in the run method of Airtable_Agents class, letting unauthenticated attackers execute arbitrary commands via crafted prompts.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 12.9%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can execute arbitrary commands on the server, potentially leading to full system compromise.

Mitigation

Update to version 3.1.0 or later.

References

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-v38x-c887-992f

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Apr 25, 2026

🔴 CVE-2026-41265 - Critical (9.8) Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the Airtable_Agents class. The issue results from the lack of proper sandboxing when evaluat... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41265/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-41265
Severity: Critical
CVSS Score: 9.8
Type: command_injection
Status: confirmed
EPSS: 12.9%
Social Posts: 1

CWE

CWE-77

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

12.9%Probability of exploitation in the next 30 days