Main Vulnerability Database Exploits ID:12562 - Exploit for Code Injection in Flowise - CVE-2025-59528

ID:12562 - Exploit for Code Injection in Flowise - CVE-2025-59528

Published: April 9, 2026

Vulnerability identifier: #VU125540

Vulnerability risk: High

CVE-ID: CVE-2025-59528

CWE-ID: CWE-94

Exploitation vector: Remote access

Vulnerable software:
Flowise

Link to public exploit:

https://www.rapid7.com/db/modules/exploit/multi/http/flowise_js_rce

Vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper control of code generation in the CustomMCP node when processing a user-supplied mcpServerConfig value through the /api/v1/node-load-method/customMCP endpoint. A remote attacker can send a specially crafted request to execute arbitrary code.

The input is evaluated through the Function() constructor in the Node.js runtime context, which can expose modules such as child_process and fs.

Remediation

Install security update from vendor's website.

ID:12562 - Exploit for Code Injection in Flowise - CVE-2025-59528

Link to public exploit:

Vulnerability description

Remediation

Please verify you're human