Lucene search
K

6 matches found

NVD
NVD
added 6 days ago8 views

CVE-2025-71334

Flowise before 3.0.6 affected versions 2.2.8 and earlier contains an arbitrary file access vulnerability due to missing validation that the chatflowId and chatId parameters are UUIDs or numbers in file handling operations. By supplying a path-traversal value e.g., '../../../../../tmp' as the...

9.8CVSS0.0086EPSS
Exploits1References4
CVE
CVE
added 6 days ago13 views

CVE-2025-71334

Flowise before 3.0.6 (affected versions 2.2.8 and earlier) contains an arbitrary file access vulnerability due to missing validation that chatflowId and chatId are UUIDs or numbers in file handling. An attacker can use path traversal (e.g., ../../../../../tmp) via /api/v1/chatflows (addBase64File...

9.8CVSS6.3AI score0.0086EPSS
Exploits1References4Affected Software1
Cvelist
Cvelist
added 2026/06/24 11:53 a.m.33 views

CVE-2025-71332 Flowise - SQL Injection in importChatflows API via chatflow.id Parameter

Flowise through 2.2.7 contains a SQL injection vulnerability in the importChatflows API. Due to insufficient validation of the chatflow.id value, an authenticated user can supply a crafted JSON import file whose id field is concatenated unsanitized into a SQL IN clause, allowing arbitrary SQL to ...

8.5CVSS0.00283EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/04/23 7:11 p.m.6 views

CVE-2026-41266 Flowise: Sensitive Data Leak in public-chatbotConfig

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, /api/v1/public-chatbotConfig/:id ep exposes sensitive data including API keys, HTTP authorization headers and internal configuration without any authentication. An attacker with knowledge just...

7.7CVSS5.3AI score0.00346EPSS
Exploits1References1
EUVD
EUVD
added 2026/04/23 7:11 p.m.8 views

EUVD-2026-25283

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, /api/v1/public-chatbotConfig/:id ep exposes sensitive data including API keys, HTTP authorization headers and internal configuration without any authentication. An attacker with knowledge just...

7.7CVSS5.8AI score0.00346EPSS
Exploits1References1
OSV
OSV
added 2025/09/15 8:11 p.m.2 views

GHSA-Q67Q-549Q-P849 Flowise has arbitrary file access due to missing chat flow id validation

Summary Missing chat flow id validation allows an attacker to access arbitrary file. Details Commit https://github.com/FlowiseAI/Flowise/commit/8bd3de41533de78e4ef6c980e5704a1f9cb7ae6f and https://github.com/FlowiseAI/Flowise/commit/c2b830f279e454e8b758da441016b2234f220ac7 added check for filenam...

9.8CVSS7AI score
Exploits0References4
Rows per page
Query Builder