Lucene search
K

27 matches found

Vulnrichment
Vulnrichment
added 2025/09/22 7:54 p.m.4 views

CVE-2025-59528 Flowise has Remote Code Execution vulnerability

Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, Flowise is vulnerable to remote code execution. The CustomMCP node allows users to input configuration settings for connecting to an external MCP server. This node parses the user-provided...

10CVSS7.5AI score0.90183EPSS
Exploits21References8
OSV
OSV
added 2025/09/22 7:54 p.m.6 views

CVE-2025-59528 Flowise has Remote Code Execution vulnerability

Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, Flowise is vulnerable to remote code execution. The CustomMCP node allows users to input configuration settings for connecting to an external MCP server. This node parses the user-provided...

10CVSS7.6AI score0.90183EPSS
Exploits21References10
CVE
CVE
added 2025/09/22 7:54 p.m.253 views

CVE-2025-59528

Flowise 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig string is parsed and passed to the Function() constructor via convertToValidJSONString without validation, allowing an attacker to execute arbitrary JavaScript with Node.js privileges (e.g., ac...

10CVSS7.5AI score0.90183EPSS
In wildExploits21References8Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/15 8:30 p.m.11 views

Flowise has unsandboxed remote code execution via Custom MCP

Summary The Custom MCPs feature is designed to execute OS commands, for instance, using tools like npx to spin up local MCP Servers. However, Flowise's inherent authentication and authorization model is minimal and lacks role-based access controls RBAC. Furthermore, the default installation of...

7.8AI score
Exploits0References5Affected Software1
Snyk
Snyk
added 2025/09/15 7:59 p.m.5 views

Arbitrary Code Injection

Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Arbitrary Code Injection via the convertToValidJSONString function. An attacker can execute arbitrary JavaScript code with full server privileges by supplying malicious input to the...

10CVSS7.7AI score0.90183EPSS
Exploits21References2
Github Security Blog
Github Security Blog
added 2025/09/15 7:59 p.m.29 views

Flowise has Remote Code Execution vulnerability

Description Cause of the Vulnerability The CustomMCP node allows users to input configuration settings for connecting to an external MCP Model Context Protocol server. This node parses the user-provided mcpServerConfig string to build the MCP server configuration. However, during this process, it...

10CVSS8AI score0.90183EPSS
Exploits21References10Affected Software1
Positive Technologies
Positive Technologies
added 2025/09/15 12:0 a.m.8 views

PT-2025-39075

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.0.6 Description Flowise is a drag-and-drop user interface for building customized large language model flows. A critical issue exists in the CustomMCP node, which allows users to input configuration settings for...

10CVSS7.8AI score0.90183EPSS
Exploits21References88
Rows per page
Query Builder