GHSA-MG66-MRH9-M8JX Next.js vulnerable to Denial of Service via connection exhaustion in applications using Cache Components

Impact Applications using Partial Prerendering through the Cache Components feature can be vulnerable to connection exhaustion through crafted POST requests to a server action. In affected configurations, a malicious request can trigger a request-body handling deadlock that leaves connections ope...

Vulnerabilities handled in Apache Camel

The Apache Software Foundation has identified vulnerabilities in Apache Camel. These vulnerabilities exist in various components of Apache Camel. The issues include insecure deserialization, insufficient filtering of email headers, incorrect authentication path matching, and improper processing o...

Arbitrary Code Injection

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Arbitrary Code Injection via the customReadCSVFunc process. An attacker can execute arbitrary code on the server by supplying malicious input that is interpolated and executed without proper sanitization...

Arbitrary Code Injection

Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Arbitrary Code Injection via the customReadCSVFunc process. An attacker can execute arbitrary code on the server by supplying malicious input that is interpolated and executed without proper...

CVE-2026-30820

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, Flowise trusts any HTTP client that sets the header x-request-from: internal, allowing an authenticated tenant session to bypass all /api/v1/ authorization checks. With only a browser...

CVE-2026-30820

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, Flowise trusts any HTTP client that sets the header x-request-from: internal, allowing an authenticated tenant session to bypass all /api/v1/ authorization checks. With only a browser...

Flowise has Authorization Bypass via Spoofed x-request-from Header

Summary Flowise trusts any HTTP client that sets the header x-request-from: internal, allowing an authenticated tenant session to bypass all /api/v1/ authorization checks. With only a browser cookie, a low-privilege tenant can invoke internal administration endpoints API key management, credentia...

GHSA-WVHQ-WP8G-C7VQ Flowise has Authorization Bypass via Spoofed x-request-from Header

Summary Flowise trusts any HTTP client that sets the header x-request-from: internal, allowing an authenticated tenant session to bypass all /api/v1/ authorization checks. With only a browser cookie, a low-privilege tenant can invoke internal administration endpoints API key management, credentia...

PT-2026-23786

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.0.13 Description Flowise incorrectly trusts HTTP clients that set the header x-request-from: internal, bypassing authorization checks for all /api/v1/ endpoints. This allows an authenticated tenant session to invoke...

📄 Flowise Custom MCP Remote Code Execution

This Metasploit module exploits a remote code execution vulnerability in Flowise versions greater than or equal to 2.2.7-patch.1 and less than 3.0.1. The vulnerability exists in the customMCP endpoint /api/v1/node-load-method/customMCP located in...

Flowise Custom MCP Remote Code Execution

This module exploits a remote code execution vulnerability in Flowise versions = 2.2.7-patch.1 and use exploit/multi/http/flowisecustommcprce msf exploitflowisecustommcprce show targets ...targets... msf exploitflowisecustommcprce set TARGET msf exploitflowisecustommcprce show options ...show and...

PT-2021-5074 · Juniper Networks · 128 Technology Session Smart Router

Name of the Vulnerable Software and Affected Versions: Juniper Networks 128 Technology Session Smart Router versions prior to 4.5.11 Juniper Networks 128 Technology Session Smart Router versions 5.0 up to and including 5.0.1 Description: The usage of an internal HTTP header created an...