Lucene search
K

12 matches found

CVE
CVE
added 2026/06/25 9:41 p.m.13 views

CVE-2025-71334

Flowise before 3.0.6 (affected versions 2.2.8 and earlier) contains an arbitrary file access vulnerability due to missing validation that chatflowId and chatId are UUIDs or numbers in file handling. An attacker can use path traversal (e.g., ../../../../../tmp) via /api/v1/chatflows (addBase64File...

9.8CVSS6.3AI score0.00895EPSS
Exploits1References4Affected Software1
CVE
CVE
added 2026/06/25 9:41 p.m.18 views

CVE-2025-71324

Flowise before 3.0.6 has an arbitrary file-read vulnerability in the chatId parameter of /api/v1/get-upload-file and /api/v1/openai-assistants-file/download. The chatId value is not validated and is passed to streamStorageFile(), where a fallback file-lookup path constructed without the orgId is ...

8.7CVSS6AI score0.00346EPSS
Exploits1References2Affected Software1
EUVD
EUVD
added 2026/05/15 7:20 p.m.15 views

EUVD-2026-30605

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, a user just needs to use the API endpoint: /api/chat/completions with their own API key generated in OWUI and the Chat ID of another user to continue the conversation of the other...

7.1CVSS5.8AI score0.00231EPSS
Exploits1References1
Github Security Blog
Github Security Blog
added 2026/05/14 8:24 p.m.14 views

Open WebUI has Broken Access Control for Completions API

Summary Any user X can continue the conversation of any other user Y, as long as the Chat ID of Y is known. User X does not even need to be an admin to do so. Details A user just needs to use the API endpoint: /api/chat/completions with their own API key generated in OWUI and the Chat ID of anoth...

7.1CVSS5.8AI score0.00231EPSS
Exploits1References5Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/14 12:0 a.m.15 views

PT-2026-41179

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.0 Description An issue exists where a user can continue the conversation of another user if the target user's Chat ID is known. This occurs because the system fails to verify if the Chat ID matches the user who...

7.1CVSS5.8AI score0.00231EPSS
Exploits1References6
OSV
OSV
added 2026/03/06 10:19 p.m.5 views

GHSA-MQ4R-H2GH-QV7X Flowise Allows Mass Assignment in `/api/v1/leads` Endpoint

Summary A Mass Assignment vulnerability in the /api/v1/leads endpoint allows any unauthenticated user to control internal entity fields id, createdDate, chatId by including them in the request body. The endpoint uses Object.assign to copy all properties from the request body to the Lead entity...

7.7CVSS5.9AI score0.12902EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/03/06 10:19 p.m.7 views

Flowise Allows Mass Assignment in `/api/v1/leads` Endpoint

Summary A Mass Assignment vulnerability in the /api/v1/leads endpoint allows any unauthenticated user to control internal entity fields id, createdDate, chatId by including them in the request body. The endpoint uses Object.assign to copy all properties from the request body to the Lead entity...

7.7CVSS5.9AI score0.12902EPSS
Exploits1References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/06 12:0 a.m.7 views

PT-2026-23788

Flowise and Affected Versions Flowise versions prior to 3.0.13 Description Flowise is a drag & drop user interface to build a customized large language model flow. A mass assignment issue exists in the /api/v1/leads endpoint, allowing unauthenticated users to control internal entity fields id,...

7.7CVSS7.2AI score0.12902EPSS
Exploits1References5
Github Security Blog
Github Security Blog
added 2025/09/15 8:0 p.m.12 views

Flowise has an Arbitrary File Read

Summary An arbitrary file read vulnerability in the chatId parameter supplied to both the /api/v1/get-upload-file and /api/v1/openai-assistants-file/download endpoints allows unauthenticated users to read unintended files on the local filesystem. In the default Flowise configuration this allows...

6.9AI score
Exploits0References2Affected Software1
Circl
Circl
added 2025/04/24 6:55 p.m.4 views

CVE-2025-46541

creationtimestamp| type| source ---|---|--- 2025-04-24 18:55:00+00:00| seen| https://t.me/cvedetector/23676...

5.9CVSS8.7AI score0.00182EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2025/01/30 12:0 a.m.6 views

PT-2025-4029 · Embedai · Embedai

Name of the Vulnerable Software and Affected Versions: EmbedAI versions 2.1 and below Description: An Improper Access Control issue allows an authenticated attacker to obtain chat messages belonging to other users by modifying the CHAT ID parameter in the endpoint "/embedai/chats/load messages?ch...

8.6CVSS6.4AI score0.00322EPSS
Exploits0References5
Circl
Circl
added 2024/01/09 10:16 a.m.5 views

RHSA-2024:0089

creationtimestamp| type| source ---|---|--- 2024-01-09 10:16:53+00:00| seen| https://t.me/ctinow/164898...

4.8AI score
Exploits0References1
Rows per page
Query Builder