CVE-2025-26319

Name of the Vulnerable Software and Affected Versions FlowiseAI Flowise version 2.2.6

Description FlowiseAI Flowise version 2.2.6 contains an arbitrary file upload vulnerability in the /api/v1/attachments API endpoint. This allows unauthenticated attackers to upload malicious files, potentially leading to remote code execution or server takeover. Reports indicate this issue is actively exploited. Approximately 2.2k to 35k instances of the vulnerable platform have been identified online. The vulnerability allows attackers to bypass security measures and upload files without proper authorization, which could compromise the system.

Recommendations Upgrade to version 2.2.7 or later to address this vulnerability.