CVE-2026-41269 | THREATINT

Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the Chatflow configuration file upload settings can be modified to allow the application/javascript MIME type. This lets an attacker upload .js files even though the frontend doesn’t normally allow JavaScript uploads. This enables attackers to persistently store malicious Node.js web shells on the server, potentially leading to Remote Code Execution (RCE). This vulnerability is fixed in 3.1.0.

PUBLISHED Reserved 2026-04-18 | Published 2026-04-23 | Updated 2026-04-24 | Assigner GitHub_M

HIGH: 7.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Problem types

CWE-434: Unrestricted Upload of File with Dangerous Type

Product status

< 3.1.0

affected

References

github.com/...lowise/security/advisories/GHSA-rh7v-6w34-w2rr exploit

github.com/...lowise/security/advisories/GHSA-rh7v-6w34-w2rr

cve.org (CVE-2026-41269)

nvd.nist.gov (CVE-2026-41269)

Download JSON