8284 matches found
Server-side Request Forgery (SSRF)
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Server-side Request Forgery SSRF through the getHttpDenyList process in httpSecurity.ts. An attacker can reach internal or otherwise denied HTTP endpoints by supplying requests that rely on t...
Arbitrary File Upload
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Arbitrary File Upload in the createAttachment in Chatflow. An attacker can upload and persistently store malicious JavaScript files on the server by bypassing MIME type validation, which may...
Partial String Comparison
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Partial String Comparison due to the replaceInputsWithConfig logic in packages/server/src/utils/index.ts. An attacker can override flow parameters by supplying a crafted override configuratio...
Arbitrary Code Injection
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Arbitrary Code Injection via the customReadCSVFunc process. An attacker can execute arbitrary code on the server by supplying malicious input that is interpolated and executed without proper...
copilot-studio-datainsight (>=0.0.1 <=0.0.6), flowise (>=1.6.1 <=2.2.8) potentially affected by CVE-2026-41138 via flowise-components (>=1.3.4 <=2.2.8)
flowise-components NPM version =1.3.4, =0.0.1, =1.6.1, =2.2.8 Source cves: CVE-2026-41138 Source advisory: SNYK:JS-FLOWISECOMPONENTS-16110988...
Arbitrary Code Injection
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Arbitrary Code Injection through the pythonCodeValidator and the Python execution paths in AirtableAgent.ts and CSVAgent.ts. An attacker can supply LLM-generated Python code that smuggles in...
Server-side Request Forgery (SSRF)
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via ExecuteFlow.ts. An attacker can cause the server to initiate HTTP requests to internal network addresses, potentially accessing sensitive management...
Server-side Request Forgery (SSRF)
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Server-side Request Forgery SSRF through the URL-fetching tool in ExecuteFlow.ts, APILoader.ts, FireCrawl.ts, SpiderApp.ts, AzureRerank.ts, Jira/core.ts, MCP/core.ts, OpenAPIToolkit.ts, and...
Directory Traversal
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Directory Traversal via the vector store path handling in Faiss.ts and SimpleStore.ts. An attacker can read from or write to unintended filesystem locations by supplying a crafted basePath wh...
flowise (>=1.6.1 <=2.2.8) potentially affected by unknown CVE via flowise-components (>=1.8.6 <=2.2.8)
flowise-components NPM version =1.8.6, =1.6.1, =2.2.8 Source cves: unknown CVE Source advisory: SNYK:JS-FLOWISECOMPONENTS-16115272...
Use of a Broken or Risky Cryptographic Algorithm
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm in the process that handles JWT secret assignment. An attacker can gain unauthorized access and impersonate any user, including administrators...
Command Injection
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Command Injection via the Custom MCP configuration in http://localhost:3000/canvas. An attacker can execute arbitrary commands on the underlying operating system by supplying crafted argument...
Security Bulletin: IBM SOAR QRadar Plugin App is vulnerable to using components with known vulnerabilities
Summary The product includes vulnerable components e.g., framework libraries that may be identified and exploited with automated tools. IBM SOAR QRadar Plugin App has addressed the applicable CVEs with an update. Vulnerability Details CVEID:CVE-2026-26007 DESCRIPTION: cryptography is a package...
Security Bulletin: IBM SOAR QRadar Plugin App is vulnerable to using components with known vulnerabilities
Summary The product includes vulnerable components e.g., framework libraries that may be identified and exploited with automated tools. IBM SOAR QRadar Plugin App has addressed the applicable CVEs with an update. Vulnerability Details CVEID:CVE-2026-22701 DESCRIPTION: filelock is a...
Security Bulletin: IBM SOAR QRadar Plugin App is vulnerable to using components with known vulnerabilities
Summary The product includes vulnerable components e.g., framework libraries that may be identified and exploited with automated tools. IBM SOAR QRadar Plugin App has addressed the applicable CVEs with an update. Vulnerability Details CVEID:CVE-2025-68146 DESCRIPTION: filelock is a...
Security Bulletin: IBM SOAR QRadar Plugin App is vulnerable to using components with known vulnerabilities
Summary The product includes vulnerable components e.g., framework libraries that may be identified and exploited with automated tools. IBM SOAR QRadar Plugin App has addressed the applicable CVEs with an update. Vulnerability Details CVEID:CVE-2025-66418 DESCRIPTION: urllib3 is a user-friendly...
Malicious code in helios-components (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector abeb968ba4df2b2034b9794205c8251dd5687f652448abd156fafb7f117fbc6e The package helios-components was found to contain malicious code...
MAL-2026-2770 Malicious code in helios-components (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector abeb968ba4df2b2034b9794205c8251dd5687f652448abd156fafb7f117fbc6e The package helios-components was found to contain malicious code...
MAL-2026-2703 Malicious code in @3stripes/components (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 31ba4725ff03b9b0a4645734fca9af46fbd145e147f7fb7ee0942853c425f53f The package @3stripes/components was found to contain malicious code...
Malicious code in @3stripes/components (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 31ba4725ff03b9b0a4645734fca9af46fbd145e147f7fb7ee0942853c425f53f The package @3stripes/components was found to contain malicious code...