Lucene search
+L

4 matches found

OSV
OSV
added 2025/09/15 8:30 p.m.3 views

GHSA-6933-JPX5-Q87Q Flowise has unsandboxed remote code execution via Custom MCP

Summary The Custom MCPs feature is designed to execute OS commands, for instance, using tools like npx to spin up local MCP Servers. However, Flowise's inherent authentication and authorization model is minimal and lacks role-based access controls RBAC. Furthermore, the default installation of...

9.3CVSS7.8AI score0.00757EPSS
Exploits1References5
Vulnrichment
Vulnrichment
added 2025/08/14 9:54 a.m.3 views

CVE-2025-8943 Unsupervised OS command execution leads to remote code execution by unauthenticated network attackers

The Custom MCPs feature is designed to execute OS commands, for instance, using tools like npx to spin up local MCP Servers. However, Flowise's inherent authentication and authorization model is minimal and lacks role-based access controls RBAC. Furthermore, in Flowise versions before 3.0.1 the...

9.8CVSS7.6AI score0.7231EPSS
Exploits3References1
OSV
OSV
added 2025/08/14 9:54 a.m.4 views

CVE-2025-8943 Unsupervised OS command execution leads to remote code execution by unauthenticated network attackers

The Custom MCPs feature is designed to execute OS commands, for instance, using tools like npx to spin up local MCP Servers. However, Flowise's inherent authentication and authorization model is minimal and lacks role-based access controls RBAC. Furthermore, in Flowise versions before 3.0.1 the...

9.8CVSS7.4AI score0.7231EPSS
Exploits3References4
Positive Technologies
Positive Technologies
added 2025/08/14 12:0 a.m.5 views

PT-2025-33147

Name of the Vulnerable Software and Affected Versions: Flowise versions prior to 3.0.1 Description: Flowise, a software platform for building user interfaces over language models LLM, has a missing authentication check for a critical function. This allows remote, unauthenticated attackers to...

10CVSS7.5AI score0.7231EPSS
Exploits3References18
Rows per page
Query Builder