FlowiseAI’s Flowise npm package carries CVE-2025-59528 (CVSS 9.5, EPSS 99th percentile, unauthenticated RCE via the Custom MCP node, active exploitation confirmed by VulnCheck), with over 12,000 internet-exposed instances remaining unpatched six months after a fix was released. Two additional associated CVEs (CVE-2025-8943, CVE-2025-26319) are referenced in vendor disclosures but not independently verified from NVD at time of writing. Organizations must upgrade all Flowise deployments to version 3.0.6 or later immediately and block all public internet access to Flowise instances pending patch validation. This vulnerability requires no authentication and is trivially exploitable at scale.