ID:12794 - Exploit for Code Injection in Flowise - CVE-2026-41264

 
Main Vulnerability Database Exploits ID:12794 - Exploit for Code Injection in Flowise - CVE-2026-41264

ID:12794 - Exploit for Code Injection in Flowise - CVE-2026-41264

Published: July 1, 2026


Vulnerability identifier: #VU126598
Vulnerability risk: High
CVE-ID: CVE-2026-41264
CWE-ID: CWE-94
Exploitation vector: Remote access
Vulnerable software:
Flowise

Link to public exploit:


Vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper sandboxing in the run method of the CSV_Agents class when evaluating an LLM-generated python script from user-supplied prompts. A remote attacker can send a specially crafted prompt to cause execution of attacker-controlled code.

Exploitation requires a chatflow that uses the CSV Agent node, and successful prompt injection may depend on the model used.


Remediation

Install security update from vendor's website.