3 matches found
CVE-2026-56233 Capgo - SSRF and Privilege Escalation via Path Traversal in Builder Upload Proxy
Capgo before 12.128.2 contains a path traversal vulnerability in the builder upload proxy that allows authenticated users with build permissions to bypass upload restrictions. Attackers can append traversal sequences to the upload path, which are normalized by the WHATWG URL parser, enabling acce...
CVE-2026-30820 Flowise Authorization Bypass via Spoofed x-request-from Header
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, Flowise trusts any HTTP client that sets the header x-request-from: internal, allowing an authenticated tenant session to bypass all /api/v1/ authorization checks. With only a browser...
CVE-2026-30820
Flowise, a UI for building LLM flows, is affected pre-3.0.13. The vulnerability arises because the server trusts any HTTP client that sends the header x-request-from: internal, allowing an authenticated tenant with only a session cookie to bypass /api/v1/** authorization checks and access interna...