{"vulnerability": "ghsa-m99r-2hxc-cp3q", "sightings": [{"uuid": "cc699496-a6fd-4811-8ea8-9dfb3bcfb2a4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-m99r-2hxc-cp3q", "type": "seen", "source": "https://gist.github.com/muhamedfazalps/db2c0e46436e75ee35dd214e14e27b40", "content": "# CVE-2026-56274: Critical OS Command Injection in Flowise\n\n**CVSS 9.9 (Critical) | Disclosed: June 24, 2026 | Fixed in 3.1.2**\n\n## Summary\nCVE-2026-56274 is an OS command injection vulnerability in FlowiseAI Flowise before version 3.1.2, specifically in the Custom MCP Server feature.\n\n## Technical Details\n- **CWE**: CWE-78 (OS Command Injection)\n- **CVSS Vector**: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\n- **Attack Type**: Remote (network)\n- **Privileges Required**: Low (any authenticated user)\n- **Impact**: Complete compromise of confidentiality, integrity, and availability\n\n## Status: FIXED in 3.1.2\nFlowise released a fix in version 3.1.2. See advisory: https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-m99r-2hxc-cp3q\n\n## Affected\n- FlowiseAI Flowise &lt; 3.1.2\n- Note: Flowise was acquired by Workday (NASDAQ: WDAY) in August 2025\n\n## References\n- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-56274\n- Advisory: https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-m99r-2hxc-cp3q\n- Full Article: https://muhamedfazalps.github.io/security-alerts-june-2026/blog/cve-2026-56274-flowise-rce.html\n\n---\n*If this analysis helped you, consider supporting security research: https://buymeacoffee.com/muhamedfazalps*", "creation_timestamp": "2026-06-25T05:43:10.883663Z"}]}