40 matches found
Command Injection
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Command Injection via the Custom MCP configuration in http://localhost:3000/canvas. An attacker can execute arbitrary commands on the underlying operating system by supplying crafted argument...
Server-side Request Forgery (SSRF)
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the HTTP Node as it is used in AgentFlow and Chatflow. An attacker can access internal network resources, retrieve sensitive information, or modify and...
@cognigy/cognigy-cli (>=1.9.7 <=2.1.0), @meta-1/nest-ai (>=0.0.1 <=0.0.5) +10 more potentially affected by CVE-2026-26019 via @langchain/community (>=1.0.0 <=1.1.12)
@langchain/community NPM version =1.0.0, =1.9.7, =0.0.1, =0.2.0, =0.0.16, =1.4.13, =1.0.24, =1.0.0, =3.1.0, =0.3.0, =0.0.210, =0.1.1, =0.1.2 Source cves: CVE-2026-26019 Source advisory: SNYK:JS-LANGCHAINCOMMUNITY-15268428...
Arbitrary Command Injection
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Arbitrary Command Injection via the nodevm execution environment when integrated modules such as Puppeteer or Playwright are used with attacker-controlled browser binary paths and parameters...
copilot-studio-datainsight (>=0.0.1 <=0.0.6), flowise (>=1.6.1 <=2.2.8) potentially affected by CVE-2025-61913 via flowise-components (>=1.3.4 <=2.2.8)
flowise-components NPM version =1.3.4, =0.0.1, =1.6.1, =2.2.8 Source cves: CVE-2025-61913 Source advisory: OSV:GHSA-J44M-5V8F-GC9C...
Directory Traversal
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Directory Traversal via the WriteFile and ReadFile tools. An attacker can gain full control over the server, including executing arbitrary commands, by supplying crafted file paths that allow...
copilot-studio-datainsight (>=0.0.1 <=0.0.6), flowise (>=1.6.1 <=2.2.8) potentially affected by CVE-2025-61913 via flowise-components (>=1.3.4 <=2.2.8)
flowise-components NPM version =1.3.4, =0.0.1, =1.6.1, =2.2.8 Source cves: CVE-2025-61913 Source advisory: OSV:GHSA-JV9M-VF54-CHJJ...
flowise (>=2.0.0 <=2.2.8) potentially affected by unknown CVE via flowise-components (=2.2.8)
flowise-components NPM version =2.2.8 is affected by a known vulnerability. The following packages have a transitive dependency on flowise-components and may be impacted: - flowise =2.0.0, =2.2.8 Source cves: unknown CVE Source advisory: SNYK:JS-FLOWISECOMPONENTS-12878598...
Path Traversal
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Path Traversal via improper validation of the user-supplied chatflowid identifier in the addBase64FilesToStorage function. An attacker can access or modify arbitrary files, execute code, or...
Directory Traversal
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Directory Traversal via improper validation of the chatId parameter in the file access process. An attacker can access sensitive files on the server filesystem, including database files...
Arbitrary Code Injection
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Arbitrary Code Injection via the convertToValidJSONString function. An attacker can execute arbitrary JavaScript code with full server privileges by supplying malicious input to the...
flowise (>=2.0.0 <=2.2.8) potentially affected by CVE-2025-59528 via flowise-components (=2.2.8)
flowise-components NPM version =2.2.8 is affected by a known vulnerability. The following packages have a transitive dependency on flowise-components and may be impacted: - flowise =2.0.0, =2.2.8 Source cves: CVE-2025-59528 Source advisory: SNYK:JS-FLOWISECOMPONENTS-12818376...
flowise (>=1.6.1 <=2.2.8) potentially affected by CVE-2025-59527 via flowise-components (>=1.8.6 <=2.2.8)
flowise-components NPM version =1.8.6, =1.6.1, =2.2.8 Source cves: CVE-2025-59527 Source advisory: SNYK:JS-FLOWISECOMPONENTS-12840076...
Server-side Request Forgery (SSRF)
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the fetch function in the fetch-links feature when user-supplied URLs are not validated. An attacker can access internal network resources and sensitive...
Arbitrary Code Injection
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Arbitrary Code Injection via the supabaseRPCFilter parameter. An attacker with administrative privileges can execute arbitrary server-side code, access sensitive environment variables, and...
flowise (>=1.6.1 <=2.2.8) potentially affected by unknown CVE via flowise-components (>=1.8.6 <=2.2.8)
flowise-components NPM version =1.8.6, =1.6.1, =2.2.8 Source cves: unknown CVE Source advisory: SNYK:JS-FLOWISECOMPONENTS-12818395...
Arbitrary Code Injection
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Arbitrary Code Injection due to the unsafe implementation of a dynamic Function constructor. An attacker can execute arbitrary JavaScript code on the server by sending a crafted POST request...
@proompter/demo-next (>=0.0.16 <=0.0.19), @proompter/flowise (>=1.4.13 <=1.4.14) +2 more potentially affected by CVE-2025-8943 via flowise-components (>=1.3.4 <=3.1.2)
flowise-components NPM version =1.3.4, =0.0.16, =1.4.13, =0.0.1, =1.0.0, =3.1.2 Source cves: CVE-2025-8943 Source advisory: SNYK:JS-FLOWISECOMPONENTS-11953677...
Command Injection
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Command Injection via the CustomMCP class. An attacker can gain unauthorized remote access and execute arbitrary operating system commands by sending crafted requests over the network. This i...
SQL Injection
flowise-components is vulnerable to SQL Injection. The vulnerability is due to improper sanitization of the tableName parameter in PostgresVectorStore, which allows an attacker to execute arbitrary SQL commands...