Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation — 12,000+ Instances Exposed
If you are running Flowise and have not upgraded to version 3.0.6 of the npm package, you are likely already compromised — or actively being probed. Researchers at VulnCheck have confirmed that CVE-2025-59528, a CVSS 10.0 (maximum severity) code injection vulnerability in the open-source AI agent builder Flowise, has been under active exploitation for over six months. Between 12,000 and 15,000 publicly exposed Flowise instances remain unpatched as of the time of reporting, according to data shared with The Hacker News and BleepingComputer. ...