# CVE-2026-41269

> Vulnerability · severity: **HIGH** (CVSS 7.1).

## Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the Chatflow configuration file upload settings can be modified to allow the application/javascript MIME type. This lets an attacker upload .js files even though the frontend doesn’t normally allow JavaScript uploads. This enables attackers to persistently store malicious Node.js web shells on the server, potentially leading to Remote Code Execution (RCE). This vulnerability is fixed in 3.1.0.

## Key facts

- **CVE ID:** CVE-2026-41269
- **Published:** 2026-04-23
- **CVSS severity:** HIGH
- **CVSS base score:** 7.1
- **CWE codes:** CWE-434

## Affected products

- `flowiseai:flowise`

## Primary sources

- NIST NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-41269

## Citation

> AI Analytics. CVE-2026-41269. Retrieved 2026-07-07 from https://api.ai-analytics.org/cve/CVE-2026-41269. Derived from NIST NVD. Licensed CC0.

---

*[Dataset catalog](https://api.ai-analytics.org/datasets/) · [AI Analytics](https://api.ai-analytics.org/) · CC0 1.0*