#VU125541 Arbitrary file upload in Flowise - CVE-2025-26319
Published: April 9, 2026
Vulnerability identifier: #VU125541
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2025-26319
CWE-ID: CWE-434
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Flowise
Flowise
Software vendor:
FlowiseAI
FlowiseAI
Description
The vulnerability allows a remote user to upload arbitrary files and potentially execute arbitrary code.
The vulnerability exists due to unrestricted upload of file with dangerous type in the attachments upload endpoint when handling file upload requests. A remote user can upload a specially crafted file to upload arbitrary files and potentially execute arbitrary code.
The uploaded file is stored persistently on the server, and code execution requires the uploaded shell to be triggered through administrator error or by chaining with another vulnerability.
Remediation
Install security update from vendor's website.