CVE-2026-46442

Flowise (prior to 3.1.2) is affected by authenticated remote code execution via POST /api/v1/node-custom-function when E2B_APIKEY is not configured. The endpoint lacks route-level authorization, allowing authenticated users/API keys to submit arbitrary JavaScript to Custom JS Function, which is e...

NocoBase 2.0.27 - VM Sandbox Escape

Exploit Title: NocoBase 2.0.27 - VM Sandbox Escape Date: 2026-03-26 Exploit Author: Onurcan Genç Vendor Homepage: https://www.nocobase.com/ Software Link: https://github.com/nocobase/nocobase Version: -u -P --cmd "id"...

GHSA-XHMJ-RG95-44HV Flowise: SSRF Protection Bypass via Unprotected Built-in HTTP Modules in Custom Function Sandbox

Summary A Server-Side Request Forgery SSRF protection bypass vulnerability exists in the Custom Function feature. While the application implements SSRF protection via HTTPDENYLIST for axios and node-fetch libraries, the built-in Node.js http, https, and net modules are allowed in the NodeVM sandb...

CVE-2025-34267

Flowise v3.0.1 3.0.8 and all versions after with 'ALLOWBUILTINDEP' enabled contain an authenticated remote code execution vulnerability and node VM sandbox escape due to insecure use of integrated modules Puppeteer and Playwright within the nodevm execution environment. An authenticated attacker...