FlowiseAI Flowise is under active exploitation via CVE-2025-59528 (CVSS 9.5), a code injection flaw in the CustomMCP node requiring only a valid API token to achieve full RCE against the host, with an EPSS score at the 99.2nd percentile and over 12,000 exposed instances reported. A related path traversal vulnerability (CVE-2025-26319) compounds the risk and shares the same remediation path. Organizations running Flowise in production should upgrade to npm package version 3.0.6 or later immediately, revoke exposed API tokens and secrets, and isolate Flowise infrastructure from public internet access; the combination of active exploitation, high exposure volume, and credential theft risk makes this a flash-priority item despite the absence of CISA KEV listing.