Lucene search
K

10 matches found

RedhatCVE
RedhatCVE
added 2026/06/09 8:59 p.m.15 views

CVE-2026-46480

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, evaluator create and update mass-assignment allows cross-workspace evaluator takeover. This issue has been patched in version 3.1.2...

8.8CVSS5.3AI score0.00335EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/08 3:31 p.m.7 views

CVE-2026-46477

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, dataset create and update mass-assignment allows cross-workspace dataset takeover. This issue has been patched in version 3.1.2...

7.7CVSS5.4AI score0.00335EPSS
Exploits0References3Affected Software1
EUVD
EUVD
added 2026/06/08 3:31 p.m.11 views

EUVD-2026-35112

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, assistant create and update mass-assignment allows cross-workspace assistant takeover. This issue has been patched in version 3.1.2...

7.7CVSS5.3AI score0.00335EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/06/08 12:0 a.m.10 views

Flowise 安全漏洞

Flowise is an open-source tool developed by FlowiseAI, designed for easily building LLM applications. Versions of Flowise prior to 3.1.2 contained security vulnerabilities. These vulnerabilities stemmed from issues with batch assignment during the creation and updating of evaluators, which could...

8.8CVSS5.3AI score0.00335EPSS
Exploits0References2
OSV
OSV
added 2026/05/14 4:19 p.m.9 views

GHSA-78PR-C5X5-JGGC FlowiseAI: Assistant create+update mass-assignment allows cross-workspace assistant takeover

Summary Type: Mass assignment via Object.assignentity, body - client-controlled workspaceId and on create, id overwritten on the Assistant entity - cross-workspace data takeover and IDOR. File: packages/server/src/services/assistants/index.ts Root cause: The Assistant controller/service construct...

8.8CVSS6AI score0.00335EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/05/14 12:0 a.m.15 views

PT-2026-41212

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.2 Description A mass assignment issue exists in the dataset create and update processes. The application uses Object.assign to copy the request body into a Dataset entity without an explicit field allowlist,...

8.8CVSS5.5AI score0.00335EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/05/14 12:0 a.m.14 views

PT-2026-41214

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.2 Description A mass assignment issue exists in the evaluation create and update processes. The server uses Object.assign to copy the request body into the Evaluation entity without an explicit field allowlist,...

7.7CVSS5.5AI score0.00335EPSS
Exploits0References7
RedhatCVE
RedhatCVE
added 2026/04/25 7:22 a.m.5 views

CVE-2026-41277

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Mass Assignment vulnerability in the DocumentStore creation endpoint allows authenticated users to control the primary key id and internal state fields of DocumentStore entities. Because the...

8.8CVSS5.5AI score0.00333EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/04/23 7:48 p.m.4 views

CVE-2026-41277 Flowise: Mass Assignment in DocumentStore Create Endpoint Leads to Cross-Workspace Object Takeover (IDOR)

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Mass Assignment vulnerability in the DocumentStore creation endpoint allows authenticated users to control the primary key id and internal state fields of DocumentStore entities. Because the...

7.6CVSS5.4AI score0.00333EPSS
Exploits1References1
CVE
CVE
added 2026/04/23 7:48 p.m.10 views

CVE-2026-41277

Flowise (FlowiseAI) prior to 3.1.0 is affected by a Mass Assignment vulnerability in the DocumentStore creation endpoint. The service uses a client-supplied primary key (id) with repository.save(), making the POST create endpoint act as an implicit UPSERT and enabling overwriting existing Documen...

8.8CVSS5.8AI score0.00333EPSS
Exploits1References1Affected Software1
Rows per page
Query Builder