{"vulnerability": "cve-2026-4093", "sightings": [{"uuid": "d89f24a0-e9b7-42c9-bcc5-4afcc805bc20", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-40937", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mk4gnqqvqk2c", "content": "", "creation_timestamp": "2026-04-22T21:24:17.481231Z"}, {"uuid": "ee263358-c63c-462e-80e7-949ec1d3b6ce", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-40933", "type": "seen", "source": "https://bsky.app/profile/cyberlensai.bsky.social/post/3mjnqwtsarh26", "content": "", "creation_timestamp": "2026-04-17T01:18:30.599546Z"}, {"uuid": "bb1ed626-1392-462c-9aa6-c1692dad6be7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-40933", "type": "seen", "source": "https://infosec.exchange/users/offseq/statuses/116446123039030840", "content": "", "creation_timestamp": "2026-04-22T03:00:29.496283Z"}, {"uuid": "76d0d346-4128-4e5b-bb49-41d874fc3b65", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-40933", "type": "seen", "source": "https://bsky.app/profile/offseq.bsky.social/post/3mk2iy2lmia2g", "content": "", "creation_timestamp": "2026-04-22T03:00:31.519841Z"}, {"uuid": "2f139321-6137-4eea-b9f1-7cd621ffd7c7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-40938", "type": "seen", "source": "Telegram/WzFh75qC0rKhc-ksOtYvdTuNUy7-5M1wjcl5aTvCRw8jriM", "content": "", "creation_timestamp": "2026-04-21T23:30:49.000000Z"}, {"uuid": "f84b9632-fe06-485e-a089-195f04b21898", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-40933", "type": "seen", "source": "https://bsky.app/profile/msaleme.bsky.social/post/3mkakith5bd2m", "content": "", "creation_timestamp": "2026-04-24T12:43:46.029202Z"}, {"uuid": "e85399d9-0559-457d-84db-fbe944c16177", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-40937", "type": "seen", "source": "https://bsky.app/profile/cyberhub.blog/post/3mkaqtki3mu25", "content": "", "creation_timestamp": "2026-04-24T14:37:08.154313Z"}, {"uuid": "8de5c22e-48d7-46fb-b06c-39fa91f08dcc", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-40938", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mjzy7rzknb2l", "content": "", "creation_timestamp": "2026-04-21T22:00:37.364826Z"}, {"uuid": "4f4bd09b-4660-444f-9779-8c7d319288d8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-40938", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mjzzkxzfsn2k", "content": "", "creation_timestamp": "2026-04-21T22:24:45.992309Z"}, {"uuid": "2724b603-e543-4676-8036-eb065a5197b3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-40931", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mk22btobow2e", "content": "", "creation_timestamp": "2026-04-21T22:37:34.183547Z"}, {"uuid": "51429c3a-7220-4a6e-a10b-2d5c330445a0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-40933", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mk233ljvfv2s", "content": "", "creation_timestamp": "2026-04-21T22:51:58.151520Z"}, {"uuid": "0bc2b53f-70d5-4869-80fc-f584c107510f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-40931", "type": "seen", "source": "https://bsky.app/profile/postac001.bsky.social/post/3mk2fjwdzfw23", "content": "", "creation_timestamp": "2026-04-22T01:58:55.267904Z"}, {"uuid": "996764ab-760e-4463-b6fc-0d3380e8a628", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-40937", "type": "seen", "source": "Telegram/n2iRBZnq9E7ZcL0orkF_wrY_jYuWJ0gfdHv4rT79OW1qv3c", "content": "", "creation_timestamp": "2026-04-22T23:20:31.000000Z"}, {"uuid": "75a394ba-30d8-472a-a2a1-2b6f75f23acc", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-40931", "type": "seen", "source": "Telegram/WzFh75qC0rKhc-ksOtYvdTuNUy7-5M1wjcl5aTvCRw8jriM", "content": "", "creation_timestamp": "2026-04-21T23:30:49.000000Z"}, {"uuid": "6b12b033-076e-4a07-afd9-a76131617403", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-40933", "type": "seen", "source": "Telegram/WzFh75qC0rKhc-ksOtYvdTuNUy7-5M1wjcl5aTvCRw8jriM", "content": "", "creation_timestamp": "2026-04-21T23:30:49.000000Z"}, {"uuid": "836c6e3f-68c0-4fee-8b95-de3327387d79", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-40934", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3ml5ku6mloc2e", "content": "CVE-2026-40934 - jupyter-server authentication cookies remain valid after password reset due to static cookie secret\nCVE ID : CVE-2026-40934\n \n Published : May 5, 2026, 10:16 p.m. | 2\u00a0hours, 6\u00a0minutes ago\n \n Description : Jupyter Server is the backend for Jupyter web applicati...", "creation_timestamp": "2026-05-06T01:37:19.136388Z"}, {"uuid": "3d496c5a-1329-4784-81b4-583b20435a27", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-40933", "type": "seen", "source": "https://t.me/codeby_sec/10082", "content": "\u00ab\u0417\u0430\u0449\u0438\u0442\u0430 \u0435\u0441\u0442\u044c, \u0434\u044b\u0440\u0430 \u0442\u043e\u0436\u0435 \u0435\u0441\u0442\u044c\u00bb: \u043a\u0430\u043a \u0442\u0440\u0438 \u0441\u043b\u043e\u044f \u0432\u0430\u043b\u0438\u0434\u0430\u0446\u0438\u0438 \u0432 AI-\u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u0430\u0445 \u043d\u0435 \u0441\u043f\u0430\u0441\u043b\u0438 \u043e\u0442 RCE\n\n\u041f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u044c: \u0442\u044b \u0440\u0430\u0437\u0440\u0430\u0431\u043e\u0442\u0447\u0438\u043a Flowise \u0438 \u0434\u043e\u0431\u0430\u0432\u0438\u043b allowlist \u0438\u0437 \u043f\u044f\u0442\u0438 \u043a\u043e\u043c\u0430\u043d\u0434, \u0444\u0443\u043d\u043a\u0446\u0438\u044e \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0438 \u0438\u043d\u044a\u0435\u043a\u0446\u0438\u0439 \u0438 \u0432\u0430\u043b\u0438\u0434\u0430\u0442\u043e\u0440 \u0430\u0440\u0433\u0443\u043c\u0435\u043d\u0442\u043e\u0432. \u0422\u0440\u0438 \u0441\u043b\u043e\u044f \u0437\u0430\u0449\u0438\u0442\u044b. \u041a\u0430\u0436\u0435\u0442\u0441\u044f, \u0434\u043e\u0441\u0442\u0430\u0442\u043e\u0447\u043d\u043e. \u041f\u043e\u0442\u043e\u043c \u043f\u0440\u0438\u0445\u043e\u0434\u0438\u0442 \u0438\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u044c \u0438 \u043f\u0438\u0448\u0435\u0442 npx \u2014 \u043b\u0435\u0433\u0438\u0442\u0438\u043c\u043d\u0430\u044f \u043a\u043e\u043c\u0430\u043d\u0434\u0430, allowlist \u0434\u043e\u0432\u043e\u043b\u0435\u043d \u2014 \u0430 \u0441\u043b\u0435\u0434\u043e\u043c \u0434\u043e\u0431\u0430\u0432\u043b\u044f\u0435\u0442 -c \"touch /tmp/pwn\". \u0424\u0430\u0439\u043b \u0441\u043e\u0437\u0434\u0430\u043d. \u0425\u043e\u0441\u0442 \u0441\u043a\u043e\u043c\u043f\u0440\u043e\u043c\u0435\u0442\u0438\u0440\u043e\u0432\u0430\u043d.\n\n\u0418\u043c\u0435\u043d\u043d\u043e \u0442\u0430\u043a \u0440\u0430\u0431\u043e\u0442\u0430\u0435\u0442 CVE-2026-40933 \u0432 Flowise \u2014 open-source \u043a\u043e\u043d\u0441\u0442\u0440\u0443\u043a\u0442\u043e\u0440\u0435 LLM-\u043f\u043e\u0442\u043e\u043a\u043e\u0432 \u0441 drag & drop \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441\u043e\u043c \u0438 \u043f\u0440\u0438\u043c\u0435\u0440\u043d\u043e 200 000 \u0430\u043a\u0442\u0438\u0432\u043d\u044b\u0445 \u0438\u043d\u0441\u0442\u0430\u043d\u0441\u043e\u0432. CVSS 9.9, \u043a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439. \u0414\u043b\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0434\u043e\u0441\u0442\u0430\u0442\u043e\u0447\u043d\u043e \u043b\u044e\u0431\u043e\u0433\u043e \u0437\u0430\u0440\u0435\u0433\u0438\u0441\u0442\u0440\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u0433\u043e \u0430\u043a\u043a\u0430\u0443\u043d\u0442\u0430 \u2014 \u0434\u0430\u0436\u0435 \u0441 \u043c\u0438\u043d\u0438\u043c\u0430\u043b\u044c\u043d\u044b\u043c\u0438 \u043f\u0440\u0430\u0432\u0430\u043c\u0438.\n\n\ud83d\udd0d \u041a\u043e\u0440\u0435\u043d\u044c \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u044b \u2014 \u043a\u043b\u0430\u0441\u0441\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u043f\u0440\u043e\u0432\u0430\u043b allowlist-\u043f\u043e\u0434\u0445\u043e\u0434\u0430. \u041f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u0430 \u043f\u0440\u043e\u0432\u0435\u0440\u044f\u0435\u0442 \u0438\u043c\u044f \u0438\u0441\u043f\u043e\u043b\u043d\u044f\u0435\u043c\u043e\u0433\u043e \u0444\u0430\u0439\u043b\u0430, \u043d\u043e \u0438\u0433\u043d\u043e\u0440\u0438\u0440\u0443\u0435\u0442 \u0441\u0435\u043c\u0430\u043d\u0442\u0438\u043a\u0443 \u0430\u0440\u0433\u0443\u043c\u0435\u043d\u0442\u043e\u0432. npx \u0432 \u0441\u043f\u0438\u0441\u043a\u0435 \u0440\u0430\u0437\u0440\u0435\u0448\u0451\u043d\u043d\u044b\u0445? \u041e\u0442\u043b\u0438\u0447\u043d\u043e. \u0410 \u0442\u043e, \u0447\u0442\u043e npx -c \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0435\u0442 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 shell-\u043a\u043e\u0434 \u2014 \u0443\u0436\u0435 \u043d\u0435 \u0435\u0451 \u0437\u0430\u0431\u043e\u0442\u0430. \u0410\u043d\u0430\u043b\u043e\u0433\u0438\u0447\u043d\u043e \u0440\u0430\u0431\u043e\u0442\u0430\u044e\u0442 python -c \u0438 node -e. Sanitization-\u0444\u0443\u043d\u043a\u0446\u0438\u0438 \u0438\u0449\u0443\u0442 \u043f\u0430\u0442\u0442\u0435\u0440\u043d\u044b \u0432\u0440\u043e\u0434\u0435 ; rm -rf / \u0432 \u0441\u0442\u0440\u043e\u043a\u0435 \u043a\u043e\u043c\u0430\u043d\u0434\u044b, \u043d\u043e \u043d\u0435 \u0440\u0430\u0437\u0431\u0438\u0440\u0430\u044e\u0442 \u043a\u043e\u043d\u0442\u0435\u043a\u0441\u0442 \u0444\u043b\u0430\u0433\u043e\u0432.\n\n\u041d\u0430 \u043c\u043e\u043c\u0435\u043d\u0442 \u0440\u0430\u0441\u043a\u0440\u044b\u0442\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043e\u043a\u043e\u043b\u043e 7 000 Flowise-\u0438\u043d\u0441\u0442\u0430\u043d\u0441\u043e\u0432 \u0431\u044b\u043b\u0438 \u043f\u0443\u0431\u043b\u0438\u0447\u043d\u043e \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b \u0432 \u0438\u043d\u0442\u0435\u0440\u043d\u0435\u0442\u0435. \u0422\u0438\u043f\u0438\u0447\u043d\u0430\u044f \u0438\u0441\u0442\u043e\u0440\u0438\u044f: \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u0443 \u0440\u0430\u0437\u0432\u043e\u0440\u0430\u0447\u0438\u0432\u0430\u044e\u0442 \u00ab\u043d\u0430 \u043f\u043e\u043f\u0440\u043e\u0431\u043e\u0432\u0430\u0442\u044c\u00bb, \u0430 \u043f\u043e\u0442\u043e\u043c \u043e\u043d\u0430 \u043e\u0431\u0440\u0430\u0441\u0442\u0430\u0435\u0442 prod-\u0438\u043d\u0442\u0435\u0433\u0440\u0430\u0446\u0438\u044f\u043c\u0438 \u0441 API-\u043a\u043b\u044e\u0447\u0430\u043c\u0438 \u043a OpenAI, Anthropic, \u0432\u043d\u0443\u0442\u0440\u0435\u043d\u043d\u0438\u043c \u0431\u0430\u0437\u0430\u043c \u0434\u0430\u043d\u043d\u044b\u0445. \u041e\u0434\u043d\u0430 CVE \u2014 \u0438 \u0437\u0430\u0434\u0430\u0447\u0430 \u00ab\u043f\u0440\u043e\u0431\u0438\u0442\u044c \u043f\u0435\u0440\u0438\u043c\u0435\u0442\u0440\u00bb \u043f\u0440\u0435\u0432\u0440\u0430\u0449\u0430\u0435\u0442\u0441\u044f \u0432 \u00ab\u0441\u043e\u0431\u0440\u0430\u0442\u044c \u043a\u043b\u044e\u0447\u0438 \u043e\u0442 \u0432\u0441\u0435\u0439 AI-\u0438\u043d\u0444\u0440\u0430\u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u044b\u00bb.\n\n\ud83c\udfaf \u0420\u044f\u0434\u043e\u043c \u043f\u043e \u0442\u0430\u0439\u043c\u043b\u0430\u0439\u043d\u0443 \u2014 CVE-2026-40911 \u0432 AVideo (CVSS 10.0). \u0422\u0430\u043c \u0434\u0440\u0443\u0433\u043e\u0439 \u043f\u0430\u0442\u0442\u0435\u0440\u043d: \u0434\u0432\u0430 eval()-sink \u043d\u0430 \u043a\u043b\u0438\u0435\u043d\u0442\u0441\u043a\u043e\u0439 \u0441\u0442\u043e\u0440\u043e\u043d\u0435 \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u044e\u0442 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 JavaScript \u0432 \u0431\u0440\u0430\u0443\u0437\u0435\u0440\u0435 \u043a\u0430\u0436\u0434\u043e\u0433\u043e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f, \u043f\u043e\u0434\u043a\u043b\u044e\u0447\u0451\u043d\u043d\u043e\u0433\u043e \u043a WebSocket. \u0411\u0435\u0437 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438. \u0412\u043e\u043e\u0431\u0449\u0435 \u0431\u0435\u0437 \u043d\u0435\u0451.\n\n\u0427\u0442\u043e \u043e\u0431\u044a\u0435\u0434\u0438\u043d\u044f\u0435\u0442 \u043e\u0431\u0435 CVE? \u0410\u043d\u0442\u0438\u043f\u0430\u0442\u0442\u0435\u0440\u043d\u044b, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u0443\u0431\u0438\u0432\u0430\u043b\u0438 \u0441\u0430\u043c\u043e\u043f\u0438\u0441\u043d\u044b\u0435 PHP-\u0441\u043a\u0440\u0438\u043f\u0442\u044b \u043f\u044f\u0442\u044c \u043b\u0435\u0442 \u043d\u0430\u0437\u0430\u0434 \u2014 eval() \u0438 subprocess.exec() \u0431\u0435\u0437 \u0441\u0430\u043d\u0438\u0442\u0438\u0437\u0430\u0446\u0438\u0438 \u2014 \u0442\u0435\u043f\u0435\u0440\u044c \u0436\u0438\u0432\u0443\u0442 \u0432 \u0441\u043e\u0432\u0440\u0435\u043c\u0435\u043d\u043d\u044b\u0445 AI-\u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u0430\u0445 \u0441 \u043a\u0440\u0430\u0441\u0438\u0432\u044b\u043c \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441\u043e\u043c \u0438 \u043c\u0438\u043b\u043b\u0438\u043e\u043d\u0430\u043c\u0438 \u0437\u0430\u0433\u0440\u0443\u0437\u043e\u043a. \u0414\u043e\u0432\u0435\u0440\u0438\u0435 \u043a \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c\u0441\u043a\u0438\u043c \u0434\u0430\u043d\u043d\u044b\u043c \u0437\u0430\u043b\u043e\u0436\u0435\u043d\u043e \u043f\u0440\u044f\u043c\u043e \u0432 \u0430\u0440\u0445\u0438\u0442\u0435\u043a\u0442\u0443\u0440\u0443.\n\n\u26a0\ufe0f \u041d\u0435\u0441\u043a\u043e\u043b\u044c\u043a\u043e \u043f\u0440\u0430\u043a\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0445 \u0432\u044b\u0432\u043e\u0434\u043e\u0432, \u0435\u0441\u043b\u0438 \u0442\u044b \u0442\u0435\u0441\u0442\u0438\u0440\u0443\u0435\u0448\u044c \u0438\u043b\u0438 \u0437\u0430\u0449\u0438\u0449\u0430\u0435\u0448\u044c AI-\u0438\u043d\u0444\u0440\u0430\u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u0443:\n\n\u2022 Allowlist \u043f\u043e \u0438\u043c\u0435\u043d\u0438 \u0431\u0438\u043d\u0430\u0440\u043d\u0438\u043a\u0430 \u2014 \u043d\u0435 \u0437\u0430\u0449\u0438\u0442\u0430, \u0435\u0441\u043b\u0438 \u043d\u0435 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u0438\u0440\u0443\u044e\u0442\u0441\u044f \u0430\u0440\u0433\u0443\u043c\u0435\u043d\u0442\u044b. npx, python, node \u2014 \u0432\u0441\u0435 \u0443\u043c\u0435\u044e\u0442 \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434 \u0447\u0435\u0440\u0435\u0437 \u0444\u043b\u0430\u0433\u0438.\n\u2022 Flowise < 3.1.0 \u2014 \u043e\u0431\u043d\u043e\u0432\u043b\u044f\u0439 \u043d\u0435\u043c\u0435\u0434\u043b\u0435\u043d\u043d\u043e. \u041f\u0430\u0442\u0447 \u0440\u0435\u0430\u043b\u0438\u0437\u0443\u0435\u0442 \u0441\u0442\u0440\u043e\u0433\u0443\u044e \u0432\u0430\u043b\u0438\u0434\u0430\u0446\u0438\u044e \u0430\u0440\u0433\u0443\u043c\u0435\u043d\u0442\u043e\u0432 \u0432 MCP stdio \u0430\u0434\u0430\u043f\u0442\u0435\u0440\u0435.\n\u2022 \u0415\u0441\u043b\u0438 Flowise \u0440\u0430\u0437\u0432\u0451\u0440\u043d\u0443\u0442 \u0432\u043d\u0443\u0442\u0440\u0438 \u043f\u0435\u0440\u0438\u043c\u0435\u0442\u0440\u0430 \u2014 \u043f\u0440\u043e\u0432\u0435\u0440\u044c, \u043d\u0435 \u043d\u0430\u043a\u043e\u043f\u0438\u043b\u0438\u0441\u044c \u043b\u0438 \u0442\u0430\u043c prod-\u043a\u043b\u044e\u0447\u0438 \u043e\u0442 OpenAI \u0438\u043b\u0438 \u0432\u043d\u0443\u0442\u0440\u0435\u043d\u043d\u0438\u0445 \u0441\u0435\u0440\u0432\u0438\u0441\u043e\u0432.\n\n\ud83d\udca1 \u0418\u043d\u0442\u0435\u0440\u0435\u0441\u043d\u044b\u0439 \u043d\u044e\u0430\u043d\u0441 \u0434\u043b\u044f \u043f\u0435\u043d\u0442\u0435\u0441\u0442\u0435\u0440\u043e\u0432: \u0434\u0430\u0436\u0435 \u0435\u0441\u043b\u0438 UI Flowise \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0438\u0432\u0430\u0435\u0442 \u0432\u044b\u0431\u043e\u0440 \u0442\u0440\u0430\u043d\u0441\u043f\u043e\u0440\u0442\u0430 \u0442\u043e\u043b\u044c\u043a\u043e HTTP/SSE, backend \u043c\u043e\u0436\u0435\u0442 \u043f\u0440\u0438\u043d\u044f\u0442\u044c stdio-\u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u044e \u043d\u0430\u043f\u0440\u044f\u043c\u0443\u044e \u0447\u0435\u0440\u0435\u0437 API. \u041f\u0435\u0440\u0435\u0445\u0432\u0430\u0442\u0438 \u0437\u0430\u043f\u0440\u043e\u0441 \u0432 Burp, \u0437\u0430\u043c\u0435\u043d\u0438 transport_type \u0441 http \u043d\u0430 stdio, \u0434\u043e\u0431\u0430\u0432\u044c command \u0438 args \u2014 backend \u043d\u0435 \u0432 \u043a\u0443\u0440\u0441\u0435, \u0447\u0442\u043e UI \u044d\u0442\u043e \u0437\u0430\u043f\u0440\u0435\u0442\u0438\u043b.\n\n\u041f\u043e\u043b\u043d\u044b\u0439 \u0440\u0430\u0437\u0431\u043e\u0440 \u043e\u0431\u043e\u0438\u0445 \u0432\u0435\u043a\u0442\u043e\u0440\u043e\u0432, \u0432\u043e\u0441\u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u043c\u044b\u0435 \u0448\u0430\u0433\u0438, \u043c\u0430\u043f\u043f\u0438\u043d\u0433 \u043d\u0430 MITRE ATT&CK \u0438 \u0438\u043d\u0434\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u043a\u043e\u043c\u043f\u0440\u043e\u043c\u0435\u0442\u0430\u0446\u0438\u0438 \u2014 \u0432 \u0441\u0442\u0430\u0442\u044c\u0435.\n\nhttps://codeby.net/threads/rce-uyazvimosti-v-ai-platformakh-cve-2026-40933-i-cve-2026-40911-ot-allowlist-bypass-do-eval-injection.92944/", "creation_timestamp": "2026-05-03T14:23:12.000000Z"}, {"uuid": "8a3ed6dd-97df-4b68-919e-841527ce32ca", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-40930", "type": "seen", "source": "https://infosec.exchange/users/vuldb/statuses/116598142822807698", "content": "It is possible to see elevated activities targeting libpng (CVE-2026-40930) https://vuldb.com/vuln/364452/cti", "creation_timestamp": "2026-05-18T23:21:06.874226Z"}, {"uuid": "aaa6a9e8-3499-4537-8852-91ef2be23a99", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-40938", "type": "published-proof-of-concept", "source": "https://github.com/tektoncd/pipeline/security/advisories/GHSA-94jr-7pqp-xhcq", "content": "", "creation_timestamp": "2026-04-21T14:12:35.000000Z"}, {"uuid": "18fe8148-50e7-45eb-8cb1-ed8f4eb79246", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-40938", "type": "published-proof-of-concept", "source": "https://api.github.com/repos/tektoncd/pipeline/security-advisories/GHSA-94jr-7pqp-xhcq", "content": "", "creation_timestamp": "2026-04-21T14:12:35.000000Z"}, {"uuid": "30c164d3-63a9-4d6c-8433-68ae5cbd0e68", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-40935", "type": "published-proof-of-concept", "source": "https://github.com/WWBN/AVideo/security/advisories/GHSA-hg7g-56h5-5pqr", "content": "", "creation_timestamp": "2026-04-13T14:33:21.000000Z"}, {"uuid": "8ab031a4-d35f-4c7e-bdf8-b382653f90ce", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-40933", "type": "published-proof-of-concept", "source": "https://github.com/advisories/GHSA-c9gw-hvqq-f33r", "content": "", "creation_timestamp": "2026-04-16T21:18:17.000000Z"}, {"uuid": "d2535f7b-408a-4f46-a590-6e4186556db0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-40937", "type": "published-proof-of-concept", "source": "https://github.com/rustfs/rustfs/security/advisories/GHSA-pfcq-4gjr-6gjm", "content": "", "creation_timestamp": "2026-04-22T05:22:56.000000Z"}, {"uuid": "d6891699-d72f-4961-9733-9f97185ffe07", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-40933", "type": "seen", "source": "https://bsky.app/profile/infosecbriefly.bsky.social/post/3mn3h4gl5qm2a", "content": "CVE-2026-40933 enables command injection via Anthropic MCP stdio serialization, letting attackers execute arbitrary OS commands through crafted Flowise chatflow imports.\n", "creation_timestamp": "2026-05-30T16:15:25.241488Z"}, {"uuid": "35656d68-d136-4985-b800-34033628059e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-40931", "type": "published-proof-of-concept", "source": "https://github.com/node-modules/compressing/security/advisories/GHSA-4c3q-x735-j3r5", "content": "", "creation_timestamp": "2026-04-13T14:02:27.000000Z"}, {"uuid": "a15bfd29-3241-4a65-adcd-137df3a5dc43", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-40933", "type": "seen", "source": "https://bsky.app/profile/hendryadrian.bsky.social/post/3mn4nocgkh225", "content": "Obsidian Security published PoC code for CVE-2026-40933, a critical 9.9 RCE in Flowise. Crafted chatflow imports can trigger command execution in self-hosted deployments via Anthropic MCP. #Flowise #MCP #ObsidianSecurity", "creation_timestamp": "2026-05-31T03:45:26.946523Z"}, {"uuid": "bfb71f17-6d0f-4942-b045-860728d47ac3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-40933", "type": "seen", "source": "https://mastodon.social/ap/users/115426718704364579/statuses/116664923372628918", "content": "\ud83d\udcf0 PoC Exploit Released for Critical 9.9 CVSS RCE Flaw in Flowise AI Platform\n\ud83d\udd25 CRITICAL RCE in Flowise AI! A 9.9 CVSS flaw (CVE-2026-40933) allows takeover of self-hosted servers with one click. PoC exploit is public. Patch now! #RCE #Vulnerability #AI #Cybersecurity\n\ud83c\udf10 cyber[.]netsecops[.]io\n\ud83d\udd17 https://cyber.netsecops.io/articles/exploit-code-published-for-critical-rce-vulnerability-in-flowise-ai-platform/?utm_source=mastodon&utm_medium=social&utm_campaign=daily", "creation_timestamp": "2026-05-30T18:24:45.172500Z"}, {"uuid": "6496d01f-9056-499f-841d-6964c3cd0684", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-40933", "type": "seen", "source": "https://bsky.app/profile/netsecio.bsky.social/post/3mn3oe2aeru26", "content": "\ud83d\udd25 CRITICAL RCE in Flowise AI! A 9.9 CVSS flaw (CVE-2026-40933) allows takeover of self-hosted servers with one click. PoC exploit is public. Patch now! #RCE #Vulnerability #AI #Cybersecurity\n\n\ud83c\udf10 cyber[.]netsecops[.]io", "creation_timestamp": "2026-05-30T18:24:56.737015Z"}, {"uuid": "90df2b1b-fb2f-41f7-991a-9c1b73765594", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-40933", "type": "seen", "source": "https://infosec.exchange/users/offseq/statuses/116666245643817162", "content": "\ud83d\udea8 Exploit code for CRITICAL Flowise RCE (CVE-2026-40933) is public. Attackers can execute arbitrary code on self-hosted Flowise servers by tricking users into importing malicious chatflows. Restrict chatflow edits & imports until a patch lands. https://radar.offseq.com/threat/exploit-code-published-for-critical-flowise-rce-vu-ae84d042 #OffSeq #Flowise #RCE #infosec", "creation_timestamp": "2026-05-31T00:00:39.882127Z"}, {"uuid": "23ec08b9-d12b-4ae4-94a1-58b162b3d506", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-40933", "type": "seen", "source": "https://www.acn.gov.it/portale/w/flowiseai-poc-pubblico-per-lo-sfruttamento-della-cve-2026-40933", "content": "", "creation_timestamp": "2026-06-01T01:37:37.000000Z"}, {"uuid": "3256cdc5-3fec-42c5-a23f-c57ebe5635f9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-40931", "type": "seen", "source": "https://bsky.app/profile/undercodenews.bsky.social/post/3mnfbmwaha72h", "content": "Silent Supply Chain Break: CVE-2026-40931 Uncovers a Dangerous Patch Bypass in Nodejs Compressing Library +\u00a0Video\n\n\ud83e\udde0 Introduction: When a Fixed Bug Comes Back Stronger A vulnerability that was once believed to be fully resolved has resurfaced in a far more dangerous form. CVE-2026-40931 reveals\u2026", "creation_timestamp": "2026-06-03T14:03:53.927777Z"}, {"uuid": "1c5f4c46-55bf-4221-856d-ce5f8ba5e3ac", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-40934", "type": "published-proof-of-concept", "source": "https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5mrq-x3x5-8v8f", "content": "", "creation_timestamp": "2026-05-05T13:16:27.000000Z"}, {"uuid": "6028c491-1c0f-416c-aaa5-c4b28ee1c35c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-40933", "type": "published-proof-of-concept", "source": "https://www.obsidiansecurity.com/blog/when-is-stdio-mcp-actually-a-vulnerability", "content": "", "creation_timestamp": "2026-05-28T12:00:00.000000Z"}]}