CVE-2026-56268

Flowise ≤ 3.1.1 is vulnerable via /api/v1/chatflows/apikey/:apikey. The keyonly parameter omission returns chatflows bound to the API key plus unprotected chatflows across all workspaces (no workspace filter). attacker with valid API key can read full ChatFlow configuration (flowData with system ...

NPM: Flowise: Cross-Workspace Chatflow Disclosure via chatflows/apikey Endpoint Returns All Unprotected Chatflows

NPM: Flowise: Cross-Workspace Chatflow Disclosure via chatflows/apikey Endpoint Returns All Unprotected Chatflows vulnerability discovered by ? in WordPress Npm flowise versions = 3.1.1...

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes over the /api/v1/chatflows endpoint. A user can gain unauthorized access to and modify sensitive attributes, such as deployment...

Flowise Information Disclosure Vulnerability

Flowise is a FlowiseAI open source tool for easily building LLM applications. Flowise suffers from an information disclosure vulnerability caused by a flaw in the /api/v1/public-chatflows/:id endpoint that can be exploited by an attacker to obtain sensitive information...

Flowise 信息泄露漏洞

Flowise is a FlowiseAI open source tool for easily building LLM applications. Flowise suffers from an information disclosure vulnerability caused by a flaw in the /api/v1/public-chatflows/:id endpoint that can be exploited by an attacker to obtain sensitive information...

EUVD-2024-2463

Malicious code in bioql PyPI...

CVE-2024-36422

CVE-2024-36422 : Flowise v1.4.3 exposes a reflected XSS vulnerability at api/v1/chatflows/id. When unauthenticated, an attacker can craft a URL to inject JavaScript into a user session, enabling information theft, popups, or redirects. If the chatflow ID is not found, the reflected value appears ...