MyPrivateClaw

Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation — 12,000+ Instances Exposed

Threat actors are actively exploiting CVE 2025 59528, a maximum severity (CVSS 10.0) remote code execution vulnerability in Flowise, the open source AI agent b…

Published on MyPrivateClaw

Apr 8, 2026, 8:46 AM UTC

Coverage date

Apr 7, 2026

Last updated

Apr 8, 2026, 9:39 PM UTC

News summary

Threat actors are actively exploiting CVE 2025 59528, a maximum severity (CVSS 10.0) remote code execution vulnerability in Flowise, the open source AI agent builder. The CustomMCP node allows unauthenticated code injection via unvalidated JavaScript. Over 12,000 internet exposed instances are at risk. Patched in v3.0.6+. Users running self hosted Flowise for private AI workflows should update immediately.