{"vulnerability": "CVE-2026-40933", "sightings": [{"uuid": "51429c3a-7220-4a6e-a10b-2d5c330445a0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-40933", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mk233ljvfv2s", "content": "", "creation_timestamp": "2026-04-21T22:51:58.151520Z"}, {"uuid": "ee263358-c63c-462e-80e7-949ec1d3b6ce", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-40933", "type": "seen", "source": "https://bsky.app/profile/cyberlensai.bsky.social/post/3mjnqwtsarh26", "content": "", "creation_timestamp": "2026-04-17T01:18:30.599546Z"}, {"uuid": "bb1ed626-1392-462c-9aa6-c1692dad6be7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-40933", "type": "seen", "source": "https://infosec.exchange/users/offseq/statuses/116446123039030840", "content": "", "creation_timestamp": "2026-04-22T03:00:29.496283Z"}, {"uuid": "76d0d346-4128-4e5b-bb49-41d874fc3b65", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-40933", "type": "seen", "source": "https://bsky.app/profile/offseq.bsky.social/post/3mk2iy2lmia2g", "content": "", "creation_timestamp": "2026-04-22T03:00:31.519841Z"}, {"uuid": "6b12b033-076e-4a07-afd9-a76131617403", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-40933", "type": "seen", "source": "Telegram/WzFh75qC0rKhc-ksOtYvdTuNUy7-5M1wjcl5aTvCRw8jriM", "content": "", "creation_timestamp": "2026-04-21T23:30:49.000000Z"}, {"uuid": "f84b9632-fe06-485e-a089-195f04b21898", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-40933", "type": "seen", "source": "https://bsky.app/profile/msaleme.bsky.social/post/3mkakith5bd2m", "content": "", "creation_timestamp": "2026-04-24T12:43:46.029202Z"}, {"uuid": "8ab031a4-d35f-4c7e-bdf8-b382653f90ce", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-40933", "type": "published-proof-of-concept", "source": "https://github.com/advisories/GHSA-c9gw-hvqq-f33r", "content": "", "creation_timestamp": "2026-04-16T21:18:17.000000Z"}, {"uuid": "3d496c5a-1329-4784-81b4-583b20435a27", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-40933", "type": "seen", "source": "https://t.me/codeby_sec/10082", "content": "\u00ab\u0417\u0430\u0449\u0438\u0442\u0430 \u0435\u0441\u0442\u044c, \u0434\u044b\u0440\u0430 \u0442\u043e\u0436\u0435 \u0435\u0441\u0442\u044c\u00bb: \u043a\u0430\u043a \u0442\u0440\u0438 \u0441\u043b\u043e\u044f \u0432\u0430\u043b\u0438\u0434\u0430\u0446\u0438\u0438 \u0432 AI-\u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u0430\u0445 \u043d\u0435 \u0441\u043f\u0430\u0441\u043b\u0438 \u043e\u0442 RCE\n\n\u041f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u044c: \u0442\u044b \u0440\u0430\u0437\u0440\u0430\u0431\u043e\u0442\u0447\u0438\u043a Flowise \u0438 \u0434\u043e\u0431\u0430\u0432\u0438\u043b allowlist \u0438\u0437 \u043f\u044f\u0442\u0438 \u043a\u043e\u043c\u0430\u043d\u0434, \u0444\u0443\u043d\u043a\u0446\u0438\u044e \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0438 \u0438\u043d\u044a\u0435\u043a\u0446\u0438\u0439 \u0438 \u0432\u0430\u043b\u0438\u0434\u0430\u0442\u043e\u0440 \u0430\u0440\u0433\u0443\u043c\u0435\u043d\u0442\u043e\u0432. \u0422\u0440\u0438 \u0441\u043b\u043e\u044f \u0437\u0430\u0449\u0438\u0442\u044b. \u041a\u0430\u0436\u0435\u0442\u0441\u044f, \u0434\u043e\u0441\u0442\u0430\u0442\u043e\u0447\u043d\u043e. \u041f\u043e\u0442\u043e\u043c \u043f\u0440\u0438\u0445\u043e\u0434\u0438\u0442 \u0438\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u044c \u0438 \u043f\u0438\u0448\u0435\u0442 npx \u2014 \u043b\u0435\u0433\u0438\u0442\u0438\u043c\u043d\u0430\u044f \u043a\u043e\u043c\u0430\u043d\u0434\u0430, allowlist \u0434\u043e\u0432\u043e\u043b\u0435\u043d \u2014 \u0430 \u0441\u043b\u0435\u0434\u043e\u043c \u0434\u043e\u0431\u0430\u0432\u043b\u044f\u0435\u0442 -c \"touch /tmp/pwn\". \u0424\u0430\u0439\u043b \u0441\u043e\u0437\u0434\u0430\u043d. \u0425\u043e\u0441\u0442 \u0441\u043a\u043e\u043c\u043f\u0440\u043e\u043c\u0435\u0442\u0438\u0440\u043e\u0432\u0430\u043d.\n\n\u0418\u043c\u0435\u043d\u043d\u043e \u0442\u0430\u043a \u0440\u0430\u0431\u043e\u0442\u0430\u0435\u0442 CVE-2026-40933 \u0432 Flowise \u2014 open-source \u043a\u043e\u043d\u0441\u0442\u0440\u0443\u043a\u0442\u043e\u0440\u0435 LLM-\u043f\u043e\u0442\u043e\u043a\u043e\u0432 \u0441 drag & drop \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441\u043e\u043c \u0438 \u043f\u0440\u0438\u043c\u0435\u0440\u043d\u043e 200 000 \u0430\u043a\u0442\u0438\u0432\u043d\u044b\u0445 \u0438\u043d\u0441\u0442\u0430\u043d\u0441\u043e\u0432. CVSS 9.9, \u043a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439. \u0414\u043b\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0434\u043e\u0441\u0442\u0430\u0442\u043e\u0447\u043d\u043e \u043b\u044e\u0431\u043e\u0433\u043e \u0437\u0430\u0440\u0435\u0433\u0438\u0441\u0442\u0440\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u0433\u043e \u0430\u043a\u043a\u0430\u0443\u043d\u0442\u0430 \u2014 \u0434\u0430\u0436\u0435 \u0441 \u043c\u0438\u043d\u0438\u043c\u0430\u043b\u044c\u043d\u044b\u043c\u0438 \u043f\u0440\u0430\u0432\u0430\u043c\u0438.\n\n\ud83d\udd0d \u041a\u043e\u0440\u0435\u043d\u044c \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u044b \u2014 \u043a\u043b\u0430\u0441\u0441\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u043f\u0440\u043e\u0432\u0430\u043b allowlist-\u043f\u043e\u0434\u0445\u043e\u0434\u0430. \u041f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u0430 \u043f\u0440\u043e\u0432\u0435\u0440\u044f\u0435\u0442 \u0438\u043c\u044f \u0438\u0441\u043f\u043e\u043b\u043d\u044f\u0435\u043c\u043e\u0433\u043e \u0444\u0430\u0439\u043b\u0430, \u043d\u043e \u0438\u0433\u043d\u043e\u0440\u0438\u0440\u0443\u0435\u0442 \u0441\u0435\u043c\u0430\u043d\u0442\u0438\u043a\u0443 \u0430\u0440\u0433\u0443\u043c\u0435\u043d\u0442\u043e\u0432. npx \u0432 \u0441\u043f\u0438\u0441\u043a\u0435 \u0440\u0430\u0437\u0440\u0435\u0448\u0451\u043d\u043d\u044b\u0445? \u041e\u0442\u043b\u0438\u0447\u043d\u043e. \u0410 \u0442\u043e, \u0447\u0442\u043e npx -c \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0435\u0442 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 shell-\u043a\u043e\u0434 \u2014 \u0443\u0436\u0435 \u043d\u0435 \u0435\u0451 \u0437\u0430\u0431\u043e\u0442\u0430. \u0410\u043d\u0430\u043b\u043e\u0433\u0438\u0447\u043d\u043e \u0440\u0430\u0431\u043e\u0442\u0430\u044e\u0442 python -c \u0438 node -e. Sanitization-\u0444\u0443\u043d\u043a\u0446\u0438\u0438 \u0438\u0449\u0443\u0442 \u043f\u0430\u0442\u0442\u0435\u0440\u043d\u044b \u0432\u0440\u043e\u0434\u0435 ; rm -rf / \u0432 \u0441\u0442\u0440\u043e\u043a\u0435 \u043a\u043e\u043c\u0430\u043d\u0434\u044b, \u043d\u043e \u043d\u0435 \u0440\u0430\u0437\u0431\u0438\u0440\u0430\u044e\u0442 \u043a\u043e\u043d\u0442\u0435\u043a\u0441\u0442 \u0444\u043b\u0430\u0433\u043e\u0432.\n\n\u041d\u0430 \u043c\u043e\u043c\u0435\u043d\u0442 \u0440\u0430\u0441\u043a\u0440\u044b\u0442\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043e\u043a\u043e\u043b\u043e 7 000 Flowise-\u0438\u043d\u0441\u0442\u0430\u043d\u0441\u043e\u0432 \u0431\u044b\u043b\u0438 \u043f\u0443\u0431\u043b\u0438\u0447\u043d\u043e \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b \u0432 \u0438\u043d\u0442\u0435\u0440\u043d\u0435\u0442\u0435. \u0422\u0438\u043f\u0438\u0447\u043d\u0430\u044f \u0438\u0441\u0442\u043e\u0440\u0438\u044f: \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u0443 \u0440\u0430\u0437\u0432\u043e\u0440\u0430\u0447\u0438\u0432\u0430\u044e\u0442 \u00ab\u043d\u0430 \u043f\u043e\u043f\u0440\u043e\u0431\u043e\u0432\u0430\u0442\u044c\u00bb, \u0430 \u043f\u043e\u0442\u043e\u043c \u043e\u043d\u0430 \u043e\u0431\u0440\u0430\u0441\u0442\u0430\u0435\u0442 prod-\u0438\u043d\u0442\u0435\u0433\u0440\u0430\u0446\u0438\u044f\u043c\u0438 \u0441 API-\u043a\u043b\u044e\u0447\u0430\u043c\u0438 \u043a OpenAI, Anthropic, \u0432\u043d\u0443\u0442\u0440\u0435\u043d\u043d\u0438\u043c \u0431\u0430\u0437\u0430\u043c \u0434\u0430\u043d\u043d\u044b\u0445. \u041e\u0434\u043d\u0430 CVE \u2014 \u0438 \u0437\u0430\u0434\u0430\u0447\u0430 \u00ab\u043f\u0440\u043e\u0431\u0438\u0442\u044c \u043f\u0435\u0440\u0438\u043c\u0435\u0442\u0440\u00bb \u043f\u0440\u0435\u0432\u0440\u0430\u0449\u0430\u0435\u0442\u0441\u044f \u0432 \u00ab\u0441\u043e\u0431\u0440\u0430\u0442\u044c \u043a\u043b\u044e\u0447\u0438 \u043e\u0442 \u0432\u0441\u0435\u0439 AI-\u0438\u043d\u0444\u0440\u0430\u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u044b\u00bb.\n\n\ud83c\udfaf \u0420\u044f\u0434\u043e\u043c \u043f\u043e \u0442\u0430\u0439\u043c\u043b\u0430\u0439\u043d\u0443 \u2014 CVE-2026-40911 \u0432 AVideo (CVSS 10.0). \u0422\u0430\u043c \u0434\u0440\u0443\u0433\u043e\u0439 \u043f\u0430\u0442\u0442\u0435\u0440\u043d: \u0434\u0432\u0430 eval()-sink \u043d\u0430 \u043a\u043b\u0438\u0435\u043d\u0442\u0441\u043a\u043e\u0439 \u0441\u0442\u043e\u0440\u043e\u043d\u0435 \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u044e\u0442 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 JavaScript \u0432 \u0431\u0440\u0430\u0443\u0437\u0435\u0440\u0435 \u043a\u0430\u0436\u0434\u043e\u0433\u043e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f, \u043f\u043e\u0434\u043a\u043b\u044e\u0447\u0451\u043d\u043d\u043e\u0433\u043e \u043a WebSocket. \u0411\u0435\u0437 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438. \u0412\u043e\u043e\u0431\u0449\u0435 \u0431\u0435\u0437 \u043d\u0435\u0451.\n\n\u0427\u0442\u043e \u043e\u0431\u044a\u0435\u0434\u0438\u043d\u044f\u0435\u0442 \u043e\u0431\u0435 CVE? \u0410\u043d\u0442\u0438\u043f\u0430\u0442\u0442\u0435\u0440\u043d\u044b, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u0443\u0431\u0438\u0432\u0430\u043b\u0438 \u0441\u0430\u043c\u043e\u043f\u0438\u0441\u043d\u044b\u0435 PHP-\u0441\u043a\u0440\u0438\u043f\u0442\u044b \u043f\u044f\u0442\u044c \u043b\u0435\u0442 \u043d\u0430\u0437\u0430\u0434 \u2014 eval() \u0438 subprocess.exec() \u0431\u0435\u0437 \u0441\u0430\u043d\u0438\u0442\u0438\u0437\u0430\u0446\u0438\u0438 \u2014 \u0442\u0435\u043f\u0435\u0440\u044c \u0436\u0438\u0432\u0443\u0442 \u0432 \u0441\u043e\u0432\u0440\u0435\u043c\u0435\u043d\u043d\u044b\u0445 AI-\u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u0430\u0445 \u0441 \u043a\u0440\u0430\u0441\u0438\u0432\u044b\u043c \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441\u043e\u043c \u0438 \u043c\u0438\u043b\u043b\u0438\u043e\u043d\u0430\u043c\u0438 \u0437\u0430\u0433\u0440\u0443\u0437\u043e\u043a. \u0414\u043e\u0432\u0435\u0440\u0438\u0435 \u043a \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c\u0441\u043a\u0438\u043c \u0434\u0430\u043d\u043d\u044b\u043c \u0437\u0430\u043b\u043e\u0436\u0435\u043d\u043e \u043f\u0440\u044f\u043c\u043e \u0432 \u0430\u0440\u0445\u0438\u0442\u0435\u043a\u0442\u0443\u0440\u0443.\n\n\u26a0\ufe0f \u041d\u0435\u0441\u043a\u043e\u043b\u044c\u043a\u043e \u043f\u0440\u0430\u043a\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0445 \u0432\u044b\u0432\u043e\u0434\u043e\u0432, \u0435\u0441\u043b\u0438 \u0442\u044b \u0442\u0435\u0441\u0442\u0438\u0440\u0443\u0435\u0448\u044c \u0438\u043b\u0438 \u0437\u0430\u0449\u0438\u0449\u0430\u0435\u0448\u044c AI-\u0438\u043d\u0444\u0440\u0430\u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u0443:\n\n\u2022 Allowlist \u043f\u043e \u0438\u043c\u0435\u043d\u0438 \u0431\u0438\u043d\u0430\u0440\u043d\u0438\u043a\u0430 \u2014 \u043d\u0435 \u0437\u0430\u0449\u0438\u0442\u0430, \u0435\u0441\u043b\u0438 \u043d\u0435 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u0438\u0440\u0443\u044e\u0442\u0441\u044f \u0430\u0440\u0433\u0443\u043c\u0435\u043d\u0442\u044b. npx, python, node \u2014 \u0432\u0441\u0435 \u0443\u043c\u0435\u044e\u0442 \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434 \u0447\u0435\u0440\u0435\u0437 \u0444\u043b\u0430\u0433\u0438.\n\u2022 Flowise < 3.1.0 \u2014 \u043e\u0431\u043d\u043e\u0432\u043b\u044f\u0439 \u043d\u0435\u043c\u0435\u0434\u043b\u0435\u043d\u043d\u043e. \u041f\u0430\u0442\u0447 \u0440\u0435\u0430\u043b\u0438\u0437\u0443\u0435\u0442 \u0441\u0442\u0440\u043e\u0433\u0443\u044e \u0432\u0430\u043b\u0438\u0434\u0430\u0446\u0438\u044e \u0430\u0440\u0433\u0443\u043c\u0435\u043d\u0442\u043e\u0432 \u0432 MCP stdio \u0430\u0434\u0430\u043f\u0442\u0435\u0440\u0435.\n\u2022 \u0415\u0441\u043b\u0438 Flowise \u0440\u0430\u0437\u0432\u0451\u0440\u043d\u0443\u0442 \u0432\u043d\u0443\u0442\u0440\u0438 \u043f\u0435\u0440\u0438\u043c\u0435\u0442\u0440\u0430 \u2014 \u043f\u0440\u043e\u0432\u0435\u0440\u044c, \u043d\u0435 \u043d\u0430\u043a\u043e\u043f\u0438\u043b\u0438\u0441\u044c \u043b\u0438 \u0442\u0430\u043c prod-\u043a\u043b\u044e\u0447\u0438 \u043e\u0442 OpenAI \u0438\u043b\u0438 \u0432\u043d\u0443\u0442\u0440\u0435\u043d\u043d\u0438\u0445 \u0441\u0435\u0440\u0432\u0438\u0441\u043e\u0432.\n\n\ud83d\udca1 \u0418\u043d\u0442\u0435\u0440\u0435\u0441\u043d\u044b\u0439 \u043d\u044e\u0430\u043d\u0441 \u0434\u043b\u044f \u043f\u0435\u043d\u0442\u0435\u0441\u0442\u0435\u0440\u043e\u0432: \u0434\u0430\u0436\u0435 \u0435\u0441\u043b\u0438 UI Flowise \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0438\u0432\u0430\u0435\u0442 \u0432\u044b\u0431\u043e\u0440 \u0442\u0440\u0430\u043d\u0441\u043f\u043e\u0440\u0442\u0430 \u0442\u043e\u043b\u044c\u043a\u043e HTTP/SSE, backend \u043c\u043e\u0436\u0435\u0442 \u043f\u0440\u0438\u043d\u044f\u0442\u044c stdio-\u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u044e \u043d\u0430\u043f\u0440\u044f\u043c\u0443\u044e \u0447\u0435\u0440\u0435\u0437 API. \u041f\u0435\u0440\u0435\u0445\u0432\u0430\u0442\u0438 \u0437\u0430\u043f\u0440\u043e\u0441 \u0432 Burp, \u0437\u0430\u043c\u0435\u043d\u0438 transport_type \u0441 http \u043d\u0430 stdio, \u0434\u043e\u0431\u0430\u0432\u044c command \u0438 args \u2014 backend \u043d\u0435 \u0432 \u043a\u0443\u0440\u0441\u0435, \u0447\u0442\u043e UI \u044d\u0442\u043e \u0437\u0430\u043f\u0440\u0435\u0442\u0438\u043b.\n\n\u041f\u043e\u043b\u043d\u044b\u0439 \u0440\u0430\u0437\u0431\u043e\u0440 \u043e\u0431\u043e\u0438\u0445 \u0432\u0435\u043a\u0442\u043e\u0440\u043e\u0432, \u0432\u043e\u0441\u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u043c\u044b\u0435 \u0448\u0430\u0433\u0438, \u043c\u0430\u043f\u043f\u0438\u043d\u0433 \u043d\u0430 MITRE ATT&CK \u0438 \u0438\u043d\u0434\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u043a\u043e\u043c\u043f\u0440\u043e\u043c\u0435\u0442\u0430\u0446\u0438\u0438 \u2014 \u0432 \u0441\u0442\u0430\u0442\u044c\u0435.\n\nhttps://codeby.net/threads/rce-uyazvimosti-v-ai-platformakh-cve-2026-40933-i-cve-2026-40911-ot-allowlist-bypass-do-eval-injection.92944/", "creation_timestamp": "2026-05-03T14:23:12.000000Z"}, {"uuid": "d6891699-d72f-4961-9733-9f97185ffe07", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-40933", "type": "seen", "source": "https://bsky.app/profile/infosecbriefly.bsky.social/post/3mn3h4gl5qm2a", "content": "CVE-2026-40933 enables command injection via Anthropic MCP stdio serialization, letting attackers execute arbitrary OS commands through crafted Flowise chatflow imports.\n", "creation_timestamp": "2026-05-30T16:15:25.241488Z"}, {"uuid": "bfb71f17-6d0f-4942-b045-860728d47ac3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-40933", "type": "seen", "source": "https://mastodon.social/ap/users/115426718704364579/statuses/116664923372628918", "content": "\ud83d\udcf0 PoC Exploit Released for Critical 9.9 CVSS RCE Flaw in Flowise AI Platform\n\ud83d\udd25 CRITICAL RCE in Flowise AI! A 9.9 CVSS flaw (CVE-2026-40933) allows takeover of self-hosted servers with one click. PoC exploit is public. Patch now! #RCE #Vulnerability #AI #Cybersecurity\n\ud83c\udf10 cyber[.]netsecops[.]io\n\ud83d\udd17 https://cyber.netsecops.io/articles/exploit-code-published-for-critical-rce-vulnerability-in-flowise-ai-platform/?utm_source=mastodon&utm_medium=social&utm_campaign=daily", "creation_timestamp": "2026-05-30T18:24:45.172500Z"}, {"uuid": "6496d01f-9056-499f-841d-6964c3cd0684", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-40933", "type": "seen", "source": "https://bsky.app/profile/netsecio.bsky.social/post/3mn3oe2aeru26", "content": "\ud83d\udd25 CRITICAL RCE in Flowise AI! A 9.9 CVSS flaw (CVE-2026-40933) allows takeover of self-hosted servers with one click. PoC exploit is public. Patch now! #RCE #Vulnerability #AI #Cybersecurity\n\n\ud83c\udf10 cyber[.]netsecops[.]io", "creation_timestamp": "2026-05-30T18:24:56.737015Z"}, {"uuid": "a15bfd29-3241-4a65-adcd-137df3a5dc43", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-40933", "type": "seen", "source": "https://bsky.app/profile/hendryadrian.bsky.social/post/3mn4nocgkh225", "content": "Obsidian Security published PoC code for CVE-2026-40933, a critical 9.9 RCE in Flowise. Crafted chatflow imports can trigger command execution in self-hosted deployments via Anthropic MCP. #Flowise #MCP #ObsidianSecurity", "creation_timestamp": "2026-05-31T03:45:26.946523Z"}, {"uuid": "90df2b1b-fb2f-41f7-991a-9c1b73765594", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-40933", "type": "seen", "source": "https://infosec.exchange/users/offseq/statuses/116666245643817162", "content": "\ud83d\udea8 Exploit code for CRITICAL Flowise RCE (CVE-2026-40933) is public. Attackers can execute arbitrary code on self-hosted Flowise servers by tricking users into importing malicious chatflows. Restrict chatflow edits & imports until a patch lands. https://radar.offseq.com/threat/exploit-code-published-for-critical-flowise-rce-vu-ae84d042 #OffSeq #Flowise #RCE #infosec", "creation_timestamp": "2026-05-31T00:00:39.882127Z"}]}