CVE-2025-26319 PoC — Flowise 代码问题漏洞

Source

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-26319.yaml

Associated Vulnerability

Title:Flowise 代码问题漏洞 (CVE-2025-26319)
Description:Flowise是FlowiseAI开源的一个用于轻松构建 LLM 应用程序的工具。 Flowise 2.2.6版本存在安全漏洞，该漏洞源于存在任意文件上传问题。

Description

FlowiseAI Flowise version 2.2.6 and below contains an arbitrary file upload vulnerability in the /api/v1/attachments endpoint. This vulnerability allows an unauthenticated attacker to upload files outside the intended directory through path traversal, potentially leading to API key exposure and remote code execution. The vulnerability can be exploited by uploading a malicious file to overwrite the .flowise/api.json configuration file.

File Snapshot


 id: CVE-2025-26319

info:
  name: FlowiseAI Flowise <= 2.2.6 - Arbitrary File Upload
  author: iamno

...

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!