38 matches found
CVE-2026-41273
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise contains an authentication bypass vulnerability that allows an unauthenticated attacker to obtain OAuth 2.0 access tokens associated with a public chatflow. By accessing a public...
CVE-2026-41279 Flowise: Unauthenticated TTS endpoint accepts arbitrary credential IDs — enables API credit abuse via stored credentials
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the text-to-speech generation endpoint POST /api/v1/text-to-speech/generate is whitelisted no auth and accepts a credentialId directly in the request body. When called without a chatflowId, th...
CVE-2026-41278 Flowise: Public chatflow endpoints return unsanitized flowData including plaintext API keys, passwords, and credential IDs
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GET /api/v1/public-chatflows/:id endpoint returns the full chatflow object without sanitization for public chatflows. Docker validation revealed this is worse than initially assessed: the...
PT-2026-34746
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GET /api/v1/public-chatflows/:id endpoint returns the full chatflow object without sanitization for public chatflows. Docker validation revealed this is worse than initially assessed: the...
GHSA-6F7G-V4PP-R667 Flowise: Unauthenticated OAuth 2.0 Access Token Disclosure via Public Chatflow in Flowise
Summary Flowise contains an authentication bypass vulnerability that allows an unauthenticated attacker to obtain OAuth 2.0 access tokens associated with a public chatflow. By accessing a public chatflow configuration endpoint, an attacker can retrieve internal workflow data, including OAuth...
CVE-2023-40344
A missing permission check in Jenkins Delphix Plugin 3.0.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins...
Improper Access Control
com.blazemeter.plugins, BlazeMeterJenkinsPlugin is vulnerable to Improper Access Control. The vulnerability is due to insufficient permission checks in the Jenkins UI, which allows an attacker to view sensitive resource identifiers such as credential IDs, workspaces, and project IDs without prope...
CVE-2025-13472
A fix was made in BlazeMeter Jenkins Plugin version 4.27 to allow users only with certain permissions to see the list of available resources like credential IDs, bzm workspaces and bzm project Ids. Prior to this fix, anyone could see this list as a dropdown on the Jenkins UI...
CVE-2025-13472 Missing authorization in BlazeMeter Jenkins Plugin
A fix was made in BlazeMeter Jenkins Plugin version 4.27 to allow users only with certain permissions to see the list of available resources like credential IDs, bzm workspaces and bzm project Ids. Prior to this fix, anyone could see this list as a dropdown on the Jenkins UI...
Missing Authorization
Overview org.jenkins-ci.plugins:publish-to-bitbucket is a This plugin publishes the current code to a bitbucket server by creating a new repository and/or project. Creates a Bitbucket repository and associated project from the current code. Features Creates Bitbucket repository based on the curre...
CVE-2025-64148
A missing permission check in Jenkins Publish to Bitbucket Plugin 0.4 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins...
CVE-2025-64148
A missing permission check in Jenkins Publish to Bitbucket Plugin 0.4 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins...
Jenkins Publish to Bitbucket Plugin 安全漏洞
Jenkins Publish to Bitbucket Plugin is an automated publishing plugin for Jenkins open source. A security vulnerability exists in Jenkins Publish to Bitbucket Plugin 0.4 and earlier versions, which stems from a lack of privilege checking and could lead an attacker to enumerate credential IDs stor...
CVE-2025-58460
The CVE concerns the Jenkins OpenTelemetry Plugin (versions up to 3.1543.v8446b_92b_cd64) with a missing permission check. This allows attackers who have Overall/Read to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, enabling capture...
CVE-2025-24402
A cross-site request forgery CSRF vulnerability in Jenkins Azure Service Fabric Plugin 1.6 and earlier allows attackers to connect to a Service Fabric URL using attacker-specified credentials IDs obtained through another method...
CVE-2023-37950
A missing permission check in Jenkins mabl Plugin 0.0.46 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins...
CVE-2023-24433
Missing permission checks in Jenkins Orka by MacStadium Plugin 1.31 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins...
CVE-2023-24432
A cross-site request forgery CSRF vulnerability in Jenkins Orka by MacStadium Plugin 1.31 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins...
Jenkins Compuware Topaz for Total Test Plugin 安全漏洞
Jenkins and Jenkins Plugin are both Jenkins open source products.Jenkins is a software application . An open source automation server Jenkins provides hundreds of plugins to support building, deploying, and automating any project.Jenkins Plugin is a software application. A security vulnerability...
CVE-2022-41250
A missing permission check in Jenkins SCM HttpClient Plugin 1.5 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins...