CVE-2026-7111

Text::CSV_XS for Perl prior to 1.62 is affected by a use-after-free when callbacks extend the Perl argument stack. The Parse, print, getline, and getline_all methods cache the stack pointer across calls; if a callback triggers stack reallocation, a stale pointer is used to write a return value, c...

CVE-2026-7111

Text::CSVXS versions before 1.62 for Perl have a use-after-free when registered callbacks extend the Perl argument stack, which may enable type confusion or memory corruption. The Parse, print, getline, and getlineall methods invoke registered callbacks for example afterparse, beforeprint, or...

PT-2026-35929

Name of the Vulnerable Software and Affected Versions Text::CSV XS versions prior to 1.62 Description A use-after-free issue exists when registered callbacks extend the Perl argument stack, potentially leading to type confusion or memory corruption. The Parse, print, getline, and getline all...

Text-CSV_XS 资源管理错误漏洞

Text-CSVXS is a CSV file parsing and generation tool developed by CPAN authors under open source. Versions of Text-CSVXS prior to 1.62 contained a resource management vulnerability. This vulnerability stemmed from the use of the Perl parameter stack during registration callback extensions; reusin...

[SECURITY] Fedora 43 Update: rpki-client-9.8-1.fc43

The OpenBSD rpki-client is a free, easy-to-use implementation of the Resource Public Key Infrastructure RPKI for Relying Parties RP to facilitate validation of the Route Origin of a BGP announcement. The program queries the RPKI repository system, downloads and validates Route Origin Authorisatio...

CVE-2026-41264

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the CSVAgents class. The issue results from the lack of proper sandboxing when evaluating an LLM generated python script. An attacker can...

CVE-2026-41264 Flowise: CSV Agent Prompt Injection Remote Code Execution Vulnerability

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the CSVAgents class. The issue results from the lack of proper sandboxing when evaluating an LLM generated python script. An attacker can...

CVE-2026-41264

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the CSVAgents class. The issue results from the lack of proper sandboxing when evaluating an LLM generated python script. An attacker can...

CVE-2026-41137 Flowise: Code Injection in CSVAgent leads to Authenticated RCE

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide a command injection payload that will get interpolated and executed by the...

CVE-2026-41137

Flowise CVE-2026-41137 affects the Flowise UI stack, specifically the CSVAgent component, which allows providing a custom Pandas CSV read code. The lack of sanitization enables a command-injection payload to be interpolated and executed by the server. This is documented across multiple sources, w...

Langflow RCE

The CSV Agent node in Langflow hardcodes allowdangerouscode=True, which automatically exposes LangChain's Python REPL tool pythonreplast. As a result, an attacker can execute arbitrary Python and OS commands on the server via prompt injection, leading to full Remote Code Execution RCE. Module...

Flowise 安全漏洞

Flowise is an open-source tool developed by FlowiseAI, designed for easily building LLM applications. Prior versions of Flowise, up to 3.1.0, contained a security vulnerability. This vulnerability stemmed from the lack of proper sandboxing mechanisms in the run method of the CSVAgents class,...

PT-2026-34729

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide a command injection payload that will get interpolated and executed by the...

GHSA-3HJV-C53M-58JJ Flowise: CSV Agent Prompt Injection Remote Code Execution Vulnerability

Abstract Trend Micro's Zero Day Initiative has identified a vulnerability affecting FlowiseAI Flowise. Vulnerability Details - Version tested: 3.0.13 - Installer file: https://github.com/FlowiseAI/Flowise - Platform tested: Ubuntu 25.10 Analysis This vulnerability allows remote attackers to execu...

Incomplete List of Disallowed Inputs

Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the run function of the CSVAgents class when evaluating LLM-generated Python scripts in a pyodide environment without sufficient sandboxing. An attack...

Flowise: CSV Agent Prompt Injection Remote Code Execution Vulnerability

Abstract Trend Micro's Zero Day Initiative has identified a vulnerability affecting FlowiseAI Flowise. Vulnerability Details - Version tested: 3.0.13 - Installer file: https://github.com/FlowiseAI/Flowise - Platform tested: Ubuntu 25.10 Analysis This vulnerability allows remote attackers to execu...

PT-2026-34236

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.0 Description A flaw exists in the run method of the CSV Agents class due to improper sandboxing when evaluating Python scripts generated by a Large Language Model LLM. An unauthenticated attacker can use prompt...

CVE-2026-31927

Anviz CX7 Firmware is vulnerable to an authenticated CSV upload which allows path traversal to overwrite arbitrary files e.g., /etc/shadow, enabling unauthorized SSH access when combined with debug‑setting changes...

CVE-2026-31927

CVE-2026-31927 concerns the Anviz CX7 Firmware, where an authenticated CSV upload vulnerability enables path traversal to overwrite arbitrary files (for example, /etc/shadow). This can lead to unauthorized SSH access when combined with debug‑setting changes. The available connected sources confir...

WordPress Unlimited Elements For Elementor plugin <= 2.0.6 - Authenticated (Contributor+) Arbitrary File Read via Path Traversal in Repeater JSON/CSV URL with Path Traversal vulnerability

Authenticated Contributor+ Arbitrary File Read via Path Traversal in Repeater JSON/CSV URL with Path Traversal vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin Unlimited Elements For Elementor Free Widgets, Addons, Templates versions = 2.0.6...