CVE-2026-56274 was disclosed June 24, 2026 - a critical OS command injection in Flowise before 3.1.2.
CVSS: 9.9 (Critical)
Type: OS Command Injection (CWE-78)
Component: Custom MCP Server feature
Status: No patch available
This is the third command-injection CVE targeting the same feature this year.
Full analysis: https://muhamedfazalps.github.io/security-alerts-june-2026/blog/cve-2026-56274-flowise-rce.html
Support this research: https://buymeacoffee.com/muhamedfazalps
CVE-2026-56274 was disclosed June 24, 2026 - a critical OS command injection in Flowise before 3.1.2.
CVSS: 9.9 (Critical)
Type: OS Command Injection (CWE-78)
Component: Custom MCP Server feature
Status: No patch available
This is the third command-injection CVE targeting the same feature this year.
Full analysis: https://muhamedfazalps.github.io/security-alerts-june-2026/blog/cve-2026-56274-flowise-rce.html
Support this research: https://buymeacoffee.com/muhamedfazalps