4 matches found
CVE-2026-46477
FlowiseAI’s CVE-2026-46477 describes a mass-assignment vulnerability in the dataset service prior to version 3.1.2. The code uses Object.assign to copy the request body into a new Dataset for create and update, allowing client-controlled fields such as workspaceId and id to overwrite persisted va...
FlowiseAI: Dataset create+update mass-assignment allows cross-workspace dataset takeover
Summary Type: Mass assignment via Object.assignentity, body - client-controlled workspaceId and on create, id overwritten on the Dataset entity - cross-workspace data takeover and IDOR. File: packages/server/src/services/dataset/index.ts Root cause: The Dataset controller/service constructs a new...
EUVD-2025-7114
Malicious code in bioql PyPI...
PYSEC-2024-241
Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset. This issue leads to a client-side RCE when running the recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over dataset table fields...