Lucene search
K

10 matches found

Cvelist
Cvelist
added 2026/06/25 9:41 p.m.21 views

CVE-2025-71334 Flowise - Arbitrary File Access via Missing Chat Flow ID Validation

Flowise before 3.0.6 affected versions 2.2.8 and earlier contains an arbitrary file access vulnerability due to missing validation that the chatflowId and chatId parameters are UUIDs or numbers in file handling operations. By supplying a path-traversal value e.g., '../../../../../tmp' as the...

9.8CVSS0.00895EPSS
Exploits1References4
NVD
NVD
added 2026/06/24 1:16 p.m.8 views

CVE-2025-71332

Flowise through 2.2.7 contains a SQL injection vulnerability in the importChatflows API. Due to insufficient validation of the chatflow.id value, an authenticated user can supply a crafted JSON import file whose id field is concatenated unsanitized into a SQL IN clause, allowing arbitrary SQL to ...

8.8CVSS0.00283EPSS
Exploits1References2
EUVD
EUVD
added 2026/06/24 11:53 a.m.12 views

EUVD-2025-210326

Flowise through 2.2.7 contains a SQL injection vulnerability in the importChatflows API. Due to insufficient validation of the chatflow.id value, an authenticated user can supply a crafted JSON import file whose id field is concatenated unsanitized into a SQL IN clause, allowing arbitrary SQL to ...

8.5CVSS6AI score0.00283EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/06/24 11:53 a.m.6 views

CVE-2025-71332 Flowise - SQL Injection in importChatflows API via chatflow.id Parameter

Flowise through 2.2.7 contains a SQL injection vulnerability in the importChatflows API. Due to insufficient validation of the chatflow.id value, an authenticated user can supply a crafted JSON import file whose id field is concatenated unsanitized into a SQL IN clause, allowing arbitrary SQL to ...

8.5CVSS6AI score0.00283EPSS
Exploits1References2
CVE
CVE
added 2026/06/24 11:53 a.m.8 views

CVE-2025-71332

Flowise 2.2.7 contains a SQL injection in the importChatflows API triggered by unsanitized chatflow.id in a JSON import file. An authenticated user can craft the id field so it is concatenated into a SQL IN clause, enabling arbitrary SQL execution and extraction of data from the credential table ...

8.8CVSS6AI score0.00283EPSS
Exploits1References2Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/15 8:11 p.m.8 views

Flowise has arbitrary file access due to missing chat flow id validation

Summary Missing chat flow id validation allows an attacker to access arbitrary file. Details Commit https://github.com/FlowiseAI/Flowise/commit/8bd3de41533de78e4ef6c980e5704a1f9cb7ae6f and https://github.com/FlowiseAI/Flowise/commit/c2b830f279e454e8b758da441016b2234f220ac7 added check for filenam...

7AI score
Exploits0References4Affected Software1
OSV
OSV
added 2024/08/05 9:29 p.m.66 views

GHSA-WXM4-9F8P-GGGV Flowise Cross-site Scripting in/api/v1/credentials/id

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the /api/v1/credentials/id endpoint. If the default configuration is used unauthenticated, an attacker may be able to craf...

6.1CVSS6.2AI score0.00405EPSS
Exploits1References4
NVD
NVD
added 2024/07/01 7:15 p.m.37 views

CVE-2024-36423

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the /api/v1/public-chatflows/id endpoint. If the default configuration is used unauthenticated, an attacker may be able to...

6.1CVSS0.00405EPSS
Exploits1References2
CVE
CVE
added 2024/07/01 6:19 p.m.91 views

CVE-2024-37145

Flowise v1.4.3 exposes a reflected XSS in /api/v1/chatflows-streaming/id. An unauthenticated user can craft a URL to inject Javascript, potentially exfiltrating data, creating popups, or redirecting users, with reflection on 404 HTML pages enabling script attachment. This XSS may be chained with ...

6.1CVSS6.2AI score0.00459EPSS
Exploits1References2Affected Software1
OSV
OSV
added 2024/07/01 6:17 p.m.31 views

CVE-2024-36423 GHSL-2023-246: Flowise xss in /api/v1/public-chatflows/id

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the /api/v1/public-chatflows/id endpoint. If the default configuration is used unauthenticated, an attacker may be able to...

6.1CVSS5.8AI score0.00405EPSS
Exploits1References4
Rows per page
Query Builder