1. Forum
  2. tqwNet
  3. TQW GENTECH

  • Top open source AI platform Flowise hit by maximum-level security

    From TechnologyDaily@1337:1/100 to All on Wed Apr 8 16:15:29 2026
    Top open source AI platform Flowise hit by maximum-level security issue

    Date:
    Wed, 08 Apr 2026 15:10:00 +0000

    Description:
    A 10/10 Flowise bug was patched, but is now being abused in the wild.

    FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Tech Radar Pro Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Become a Member in Seconds Unlock instant access to exclusive member features. Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over. You are
    now subscribed Your newsletter sign-up was successful Join the club Get full access to premium articles, exclusive features and a growing list of member rewards. Explore An account already exists for this email address, please log in. Subscribe to our newsletter Flowise AI platform carried CVSS-10 arbitrary code flaw Vulnerability in CustomMCP node exploited in the wild Up to 15,000 exposed instances urged to update immediately Flowise, a popular open source platform for building custom LLM apps and AI agents, carried a maximum-severity vulnerability which allowed threat actors to run arbitrary code and thus, potentially, take over entire systems.

    Flowise is a lowcode platform which allows users to visually build AI workflows, chatbots and LLMpowered applications by dragging and dropping components instead of writing code. Its GitHub project has more than 40,000 stars, and it is reported to power millions of chats and workflows across developers and companies. In September 2025, it was discovered that version 3.0.5 contained a bug in the CustomMCP node. When users entered configuration data, the software would run it as JavaScript without checks. This let attackers execute any code on the server, including accessing files or
    running system commands. Article continues below You may like Thousands of
    n8n instances under threat from top security issue Critical n8n flaws discovered - here's how to stay safe LangChain framework hit by several worrying security issues Spotted in the wild The vulnerability was fixed in version 3.0.6 and currently, the latest version is 3.1.1 - however, more than half a year later, security researchers spotted threat actors abusing it in the wild.

    Citing Caitlin Condon from vulnerability intelligence firm VulnCheck, BleepingComputer reported the exploitation of the bug was seen in the
    companys Canary network.

    Early this morning, VulnCheck's Canary network began detecting first-time exploitation of CVE-2025-59528, a CVSS-10 arbitrary JavaScript code injection vulnerability in Flowise, an open-source AI development platform, Condon warned.

    She said that the attack was limited to a single Starlink IP, but warned that it might soon expand, since there are currently up to 15,000 Flowise
    instances exposed to the wider internet. At least some of them are, most likely, not updated to the latest versions and, as such, vulnerable. Are you
    a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting
    your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

    The best course of action would be to bring all Flowise instances to the newest version and, if possible, remove them from the public internet if its not necessary for everyday operations. The best antivirus for all budgets Our top picks, based on real-world testing and comparisons

    Read our full guide to the best antivirus 1. Best overall: Bitdefender Total Security 2. Best for families: Norton 360 with LifeLock 3. Best for mobile: McAfee Mobile Security Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

    And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/top-open-source-ai-platform-flowise-hit -by-maximum-level-security-issue


    --- Mystic BBS v1.12 A49 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)