CVE-2026-46476

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, CustomTemplate create and update mass-assignment allows cross-workspace template takeover. This issue has been patched in version 3.1.2...

CVE-2026-46476 Flowise: CustomTemplate create+update mass-assignment allows cross-workspace template takeover

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, CustomTemplate create and update mass-assignment allows cross-workspace template takeover. This issue has been patched in version 3.1.2...

CVE-2026-46476

CVE-2026-46476 concerns Flowise Flow’s CustomTemplate endpoints where Object.assign is used to populate a new/update entity from the client body. The root cause is mass-assignment that accepts sensitive fields (notably workspaceId and id) from the request, enabling cross-workspace data takeover. ...

CVE-2026-8134 Concrete CMS 9.5.0 and below is vulnerable to Authenticated RCE via Composer customTemplate Path Traversal leading to PHP File Inclusion

Concrete CMS 9.5.0 and below fails to sanitize path traversal sequences in the ptComposerFormLayoutSetControlCustomTemplate field when saving page type composer form layouts. An authenticated rogue administrator with composer form editing rights can exploit this to include arbitrary readable file...

NPM: FlowiseAI: CustomTemplate create+update mass-assignment allows cross-workspace template takeover

NPM: FlowiseAI: CustomTemplate create+update mass-assignment allows cross-workspace template takeover vulnerability discovered by ? in WordPress Npm flowise versions = 3.1.1...