CVE-2026-41275

CVE-2026-41275 affects Flowise: prior to 3.1.0, the password reset flow exposed reset links over unsecured HTTP instead of HTTPS. The root cause described in the connected documents is the transmission of tokens via plaintext URLs driven by misconfigured origins (e.g., APP_URL) and the risk of MI...

Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed

Threat actors are exploiting a maximum-severity security flaw in Flowise , an open-source artificial intelligence AI platform, according to new findings from VulnCheck. The vulnerability in question is CVE-2025-59528 CVSS score: 10.0, a code injection vulnerability that could result in remote cod...

Flowise doesn't Prevent Bypass of Password Confirmation through Unverified Email Change (credentials)

Summary Unverified Email Change - Email as part of Credential / Unverified Account Recovery Channel Change The application allows changing the account email address used as a login identifier and/or password recovery address without verifying the requester’s authority to make that change no...

GHSA-4FR9-3X69-36WV Flowise vulnerable to XSS

Summary A XSScross-site scripting vulnerability is caused by insufficient filtering of input by web applications. Attackers can leverage this XSS vulnerability to inject malicious script code HTML code or client-side Javascript code into web pages, and when users browse these web pages, the...

Flowise vulnerable to XSS

Summary A XSScross-site scripting vulnerability is caused by insufficient filtering of input by web applications. Attackers can leverage this XSS vulnerability to inject malicious script code HTML code or client-side Javascript code into web pages, and when users browse these web pages, the...