critical AI Issue

Flowise AI Agent Builder RCE — Active In-The-Wild Exploitation

CVE	`CVE-2025-59528`
Severity	critical
Status	open
Date	April 8, 2026
Affects	Flowise AI Agent Builder before 3.0.6 (12,000-15,000 exposed instances)
Source	thehackernews.com

Details

CVSS 10.0. CustomMCP node executes user-provided JavaScript without security validation, running with full Node.js runtime privileges (child_process, fs). First in-the-wild exploitation detected by VulnCheck in April 2026 from a Starlink IP. Exploitable for 6+ months. Fix: Flowise 3.0.6.

Read full advisory →