Zero Day MonitorZDM

← Back to list

9.8

CVE-2025-71336EXPLOITEDPATCHED

flowi · flowise

Flowise - Unsandboxed Remote Code Execution via Custom MCP

Description

A vulnerability labeled as critical has been found in Flowise up to 3.0.5. The impacted element is an unknown function of the file /api/v1/node-load-method/customMCP of the component Custom MCP Feature. Executing a manipulation can lead to os command injection. This vulnerability is tracked as CVE-2025-71336. The attack can be launched remotely. No exploit exists. The affected component should be upgraded.

Affected Products

Vendor	Product	Versions
flowi	flowise	0, 3.0.5

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
open source	open source flowise	cert_advisory	90%

References

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-6933-jpx5-q87q(vendor-advisory)
https://www.vulncheck.com/advisories/flowise-unsandboxed-remote-code-execution-via-custom-mcp(third-party-advisory)

Related News (2 articles)

Tier B

BSI Advisories1d ago

[UPDATE] [UNGEPATCHT] [kritisch] Flowise: Mehrere Schwachstellen

→ No new info (linked only)

Tier C

VulDB2d ago

CVE-2025-71336 | Flowise up to 3.0.5 Custom MCP Feature customMCP os command injection (GHSA-6933-jpx5-q87q)

→ No new info (linked only)

CVSS 3.19.8 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

3.0.6

CWECWE-78

PublishedJun 25, 2026

Last enriched2d agov2

Trending Score48

Source articles2

Independent2

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

NONECVE-2025-71327EXP

Flowise - Authentication Bypass via Unprotected Registration Endpoint

NONECVE-2025-71338EXP

Flowise - Arbitrary File Write to Remote Code Execution via document-store API

NONECVE-2025-71334EXP

Flowise - Arbitrary File Access via Missing Chat Flow ID Validation

NONECVE-2025-71333EXP

Flowise - Arbitrary File Upload via Unauthenticated /api/v1/attachments Endpoint

HIGHCVE-2025-71324

Flowise - Arbitrary File Read via chatId Parameter

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Jun 25, 2026

Actively Exploited

Jun 25, 2026

Patch Available

Jun 25, 2026

Discovered by ZDM

Jun 25, 2026

Updated: description, affectedVersions, severity, activelyExploited

Jun 25, 2026

Version History

v2

Last enriched 2d ago

v2Tier C2d ago

Updated severity to CRITICAL, added affected version 3.0.5, and corrected exploit availability to false.

descriptionaffectedVersionsseverityactivelyExploited

via VulDB

v12d ago

Initial creation