Flowise AI platform carries three CVEs under active exploitation as of April 7, 2026, led by CVE-2025-59528 (CVSS reported as 9.5–10.0 pending NVD confirmation, EPSS 99.2nd percentile, priority 0.689), an unauthenticated arbitrary JavaScript injection flaw enabling RCE on any internet-exposed Flowise instance running below version 3.0.6. First exploitation was detected April 7, 2026; with an estimated 12,000–15,000 internet-exposed instances, rapid attacker spread should be assumed. CVE-2025-8943 and CVE-2025-26319 are also actively exploited against the same platform; full technical details should be retrieved from NVD. Upgrade all Flowise deployments to version 3.0.6 immediately, restrict API access to trusted networks, and review all three CVEs at NVD for complete version scope and technical detail.