Back

Critical Flowise RCE Vulnerability Exploited, Thousands of Systems at Risk

Severity: High (Score: 72.9)

Sources: Csoonline, Thecyberexpress, Bleepingcomputer

Summary

A critical remote code execution (RCE) vulnerability in the Flowise low-code platform, tracked as CVE-2025-59528, is being actively exploited by threat actors. This flaw allows attackers to inject arbitrary JavaScript code due to improper validation of user input in the CustomMCP node, which connects to external Model Context Protocol (MCP) servers. The vulnerability was first disclosed in September 2025, and despite a patch being available since version 3.0.6, exploitation attempts have been observed as of April 6, 2026. Security researchers estimate that between 12,000 and 15,000 instances of Flowise are currently exposed on the public internet, with exploitation activity originating from a single Starlink IP address. Additionally, two other vulnerabilities (CVE-2025-8943 and CVE-2025-26319) have also been flagged for active exploitation. Users are urged to upgrade to the latest version, 3.1.1, to mitigate risks. Key Points: • CVE-2025-59528 allows arbitrary JavaScript code execution in Flowise due to improper input validation. • Exploitation attempts have been detected, with 12,000 to 15,000 vulnerable Flowise instances exposed online. • Users are recommended to upgrade to version 3.1.1 or at least 3.0.6 to protect against this vulnerability.

Key Entities

  • Remote Code Execution (attack_type)
  • Zero-day Exploit (attack_type)
  • CVE-2025-26319 (cve)
  • CVE-2025-59528 (cve)
  • CVE-2025-8943 (cve)
  • T1059.007 - JavaScript (mitre_attack)
  • T1190 - Exploit Public-Facing Application (mitre_attack)
  • Docker (tool)
  • Node.js (tool)
  • YARA (tool)
  • Flowise (platform)
  • MCP (platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed