{"api_version":"1","generated_at":"2026-04-24T01:42:13+00:00","cve":"CVE-2026-41269","urls":{"html":"https://cve.report/CVE-2026-41269","api":"https://cve.report/api/cve/CVE-2026-41269.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-41269","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-41269"},"summary":{"title":"Flowise: File Upload Validation Bypass in createAttachment","description":"Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the Chatflow configuration file upload settings can be modified to allow the application/javascript MIME type. This lets an attacker upload .js files even though the frontend doesn’t normally allow JavaScript uploads. This enables attackers to persistently store malicious Node.js web shells on the server, potentially leading to Remote Code Execution (RCE). This vulnerability is fixed in 3.1.0.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-04-23 20:16:15","updated_at":"2026-04-23 20:16:15"},"problem_types":["CWE-434","CWE-434 CWE-434: Unrestricted Upload of File with Dangerous Type"],"metrics":[{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"7.1","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"HIGH","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"7.1","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.1,"baseSeverity":"HIGH","confidentialityImpact":"LOW","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N","version":"3.1"}}],"references":[{"url":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-rh7v-6w34-w2rr","name":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-rh7v-6w34-w2rr","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-41269","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41269","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"FlowiseAI","product":"Flowise","version":"affected < 3.1.0","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"product":"Flowise","vendor":"FlowiseAI","versions":[{"status":"affected","version":"< 3.1.0"}]}],"descriptions":[{"lang":"en","value":"Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the Chatflow configuration file upload settings can be modified to allow the application/javascript MIME type. This lets an attacker upload .js files even though the frontend doesn’t normally allow JavaScript uploads. This enables attackers to persistently store malicious Node.js web shells on the server, potentially leading to Remote Code Execution (RCE). This vulnerability is fixed in 3.1.0."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.1,"baseSeverity":"HIGH","confidentialityImpact":"LOW","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-434","description":"CWE-434: Unrestricted Upload of File with Dangerous Type","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-23T19:14:26.918Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-rh7v-6w34-w2rr","tags":["x_refsource_CONFIRM"],"url":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-rh7v-6w34-w2rr"}],"source":{"advisory":"GHSA-rh7v-6w34-w2rr","discovery":"UNKNOWN"},"title":"Flowise: File Upload Validation Bypass in createAttachment"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-41269","datePublished":"2026-04-23T19:14:26.918Z","dateReserved":"2026-04-18T14:01:46.801Z","dateUpdated":"2026-04-23T19:14:26.918Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-23 20:16:15","lastModifiedDate":"2026-04-23 20:16:15","problem_types":["CWE-434","CWE-434 CWE-434: Unrestricted Upload of File with Dangerous Type"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":4.2}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"41269","Ordinal":"1","Title":"Flowise: File Upload Validation Bypass in createAttachment","CVE":"CVE-2026-41269","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"41269","Ordinal":"1","NoteData":"Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the Chatflow configuration file upload settings can be modified to allow the application/javascript MIME type. This lets an attacker upload .js files even though the frontend doesn’t normally allow JavaScript uploads. This enables attackers to persistently store malicious Node.js web shells on the server, potentially leading to Remote Code Execution (RCE). This vulnerability is fixed in 3.1.0.","Type":"Description","Title":"Flowise: File Upload Validation Bypass in createAttachment"}]}}}