www.securityweek.com 4/7/2026, 4:01:22 PM · via preferred

Flowise CVE-2025-59528 Bug Lets Attackers Execute Code via JS

Developing story incident 3 articles tracked
Flowise AI platform flaw (CVE-2025-59528) actively exploited
CyberSIXT Evidence Panel
CVE Intel
CISA KEV Not in KEV
Patch Patch Available

ACCORDING to VulnCheck, threat actors have started to exploit a critical vulnerability in Flowise that allows remote code execution by abusing unvalidated user-supplied JavaScript used to configure an external MCP. The flaw is tracked as CVE-2025-59528, with a CVSS score of 10, and stems from passing user input directly to a function that evaluates it as JavaScript code with full Node[.]js privileges. Flowise versions up to 3.0.5 are affected, with a patch issued in version 3.0.6 released in September 2025.

VulnCheck says it has observed first in-the-wild exploitation attempts targeting CVE-2025-59528 and notes that between 12,000 and 15,000 Flowise instances are publicly accessible, though it remains unclear how many are running vulnerable versions. Caitlin Condon, VulnCheck VP of security research, describes the attack surface as extensive and opportunistic given the exposed deployments.

View full article

Article by CyberSIXT

Timeline Coverage

Swipe to explore timeline