KEVIntel
Back to KEVs
9.8
CVSS
Critical

CVE-2025-26319

PUBLISHED

FlowiseAI Flowise v2.2.6 was discovered to contain an arbitrary file upload vulnerability in /api/v1/attachments.

PoC available Remote Low complexity No user interaction
Vendor
n/a
Product
n/a
Published
Mar 04, 2025
EPSS

Description

FlowiseAI Flowise v2.2.6 was discovered to contain an arbitrary file upload vulnerability in /api/v1/attachments.

nuclei_scanner

CVSS scores

CVSS v3.1 9.8 Critical

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation status

Proof of concept available

Recorded 2025-03-14 00:05:24 UTC · Source

SSVC decision points

Exploitation
poc
Automatable
Yes
Technical impact
total

References

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source Added
The Shadowserver (via CIRCL) Jun 24, 2025

Scanner integrations

Scanner Reference Detected
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-26319.yaml Apr 25, 2025

Potential proof of concepts

These PoCs are unverified and could contain malware. Use at your own risk.

redpack-kr/CVE-2025-26319

github · Created 2025-03-14 00:05:24 UTC · 0 stars

YuoLuo/CVE-2025-26319

github · Created 2025-03-13 08:06:45 UTC · 5 stars

dorattias/CVE-2025-26319

github · Created 2025-02-02 08:02:48 UTC · 0 stars

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Proof of Concept Exploit Available

  • Detected by Nuclei

  • Added to KEVIntel