Critical Flowise Vulnerability in Attacker Crosshairs
The improper validation of user-supplied JavaScript code allows attackers to execute arbitrary code and access the file system. The post Critical Flowise Vulnerability in Attacker Crosshairs appeared first on SecurityWeek.
Threat actors have started to exploit a critical vulnerability in Flowise that allows them to execute arbitrary code remotely, VulnCheck warns.
Flowise is an open source development platform that allows users to build customized LLM flows and autonomous agents using a drag-and-drop interface.
Tracked as CVE-2025-59528 (CVSS score of 10), the bug exists because user-supplied JavaScript code is not validated in a function that supports configuration settings input for connecting to an external MCP.
Source: https://www.securityweek.com/critical-flowise-vulnerability-in-attacker-crosshairs/
Related breach coverage
- Attackers exploit critical Flowise flaw CVE-2025-59528 for remote code execution2026-04-07
Attackers are exploiting a critical Flowise flaw, tracked as CVE-2025-59528 (CVSS score of 10), that lets them run malicious code and access systems due to poor validation of user-supplied JavaScript. Attackers are actively exploiting a critical vulnerability in Flowise, tracked as CVE-2025-59528, that allows remote code execution and file system access. The flaw stems from improper validation […]
- Fortinet Rushes Emergency Fixes for Exploited Zero-Day2026-04-06
The improper access control bug in FortiClient EMS allows unauthenticated attackers to execute arbitrary code remotely. The post Fortinet Rushes Emergency Fixes for Exploited Zero-Day appeared first on SecurityWeek.
- Exploitation of Critical Fortinet FortiClient EMS Flaw Begins2026-03-31
The SQL injection vulnerability allows unauthenticated attackers to execute arbitrary code remotely, via crafted HTTP requests. The post Exploitation of Critical Fortinet FortiClient EMS Flaw Begins appeared first on SecurityWeek.
- Critical SmarterMail Vulnerability Exploited in Ransomware Attacks2026-02-06
The security defect allows unauthenticated attackers to execute arbitrary code remotely via malicious HTTP requests. The post Critical SmarterMail Vulnerability Exploited in Ransomware Attacks appeared first on SecurityWeek.