Threat actors are actively exploiting a maximum-severity security flaw in Flowise, an open-source artificial intelligence (AI) platform. This critical vulnerability has been identified through new findings from VulnCheck, highlighting a significant risk to users of the platform. The specific vulnerability is tracked as CVE-2025-59528, boasting a CVSS score of 10.0, which signifies its maximum severity.
Threat actors are actively exploiting a maximum-severity security flaw in Flowise, an open-source artificial intelligence (AI) platform. This critical vulnerability has been identified through new findings from VulnCheck, highlighting a significant risk to users of the platform.
The specific vulnerability is tracked as CVE-2025-59528, boasting a CVSS score of 10.0, which signifies its maximum severity. It is classified as a code injection vulnerability, posing a direct threat of remote code execution (RCE) to affected systems.
Furthermore, the report indicates that the "CustomMCP node allows users to input configuration settings for connecting," which is likely the entry point for this dangerous code injection. This feature, while intended for legitimate use, is being weaponized by attackers.