Main Vulnerability Database Vulnerabilities #VU126610

Arbitrary file upload in Flowise - CVE-2026-41269

Published: April 20, 2026

Vulnerability identifier: #VU126610

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-41269

CWE-ID: CWE-434

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: FlowiseAI

Affected software:
Flowise

Detailed vulnerability description

The vulnerability allows a remote user to upload and store malicious javascript files on the server.

The vulnerability exists due to unrestricted upload of file with dangerous type in the createAttachment functionality when updating Chatflow file upload settings and uploading attachments. A remote user can add the application/javascript MIME type and upload a specially crafted .js file to upload and store malicious javascript files on the server.

If the uploaded file is executed, this can lead to remote code execution.

How to mitigate CVE-2026-41269

Install security update from vendor's website.

Sources

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-rh7v-6w34-w2rr

Arbitrary file upload in Flowise - CVE-2026-41269

Detailed vulnerability description

How to mitigate CVE-2026-41269

Sources

Please verify you're human