Lucene search
K

17 matches found

NVD
NVD
added 2026/07/02 8:17 p.m.6 views

CVE-2026-59094

Pathway through 0.31.1, fixed in commit d09722e, document store applies a caller-supplied glob pattern to indexed document paths using a hand-written recursive matcher that branches two ways on each token without memoization, giving exponential worst-case complexity. The filepathglobpattern value...

8.7CVSS0.0047EPSS
Exploits0References4
EUVD
EUVD
added 2026/07/02 7:40 p.m.7 views

EUVD-2026-41425

Pathway through 0.31.1, fixed in commit d09722e, document store applies a caller-supplied glob pattern to indexed document paths using a hand-written recursive matcher that branches two ways on each token without memoization, giving exponential worst-case complexity. The filepathglobpattern value...

8.7CVSS5.9AI score0.0047EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/07/02 7:40 p.m.33 views

CVE-2026-59094 Pathway - Unauthenticated Denial of Service via Exponential Glob Pattern Matching in Document Store

Pathway through 0.31.1, fixed in commit d09722e, document store applies a caller-supplied glob pattern to indexed document paths using a hand-written recursive matcher that branches two ways on each token without memoization, giving exponential worst-case complexity. The filepathglobpattern value...

8.7CVSS0.0047EPSS
Exploits0References4
CVE
CVE
added 2026/07/02 7:40 p.m.13 views

CVE-2026-59094

Affected software: Pathway, affected up to v0.31.1. Vulnerability: document store applies a caller-supplied glob pattern to indexed document paths via a hand-written recursive matcher that branches on each ** token without memoization, yielding exponential worst-case complexity. The pattern from ...

8.7CVSS5.9AI score0.0047EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/07/02 7:40 p.m.8 views

CVE-2026-59094

Pathway through 0.31.1, fixed in commit d09722e, document store applies a caller-supplied glob pattern to indexed document paths using a hand-written recursive matcher that branches two ways on each token without memoization, giving exponential worst-case complexity. The filepathglobpattern value...

8.7CVSS5.9AI score0.0047EPSS
Exploits0References5
NVD
NVD
added 2026/06/25 10:16 p.m.11 views

CVE-2025-71338

Flowise contains a path traversal vulnerability in the /api/v1/document-store/loader/process endpoint that allows unauthenticated attackers to write arbitrary files to the filesystem. Attackers can exploit unsanitized fileName parameters with ../ sequences to overwrite critical files like...

10CVSS0.00639EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/06/25 9:41 p.m.27 views

CVE-2025-71338 Flowise - Arbitrary File Write to Remote Code Execution via document-store API

Flowise contains a path traversal vulnerability in the /api/v1/document-store/loader/process endpoint that allows unauthenticated attackers to write arbitrary files to the filesystem. Attackers can exploit unsanitized fileName parameters with ../ sequences to overwrite critical files like...

10CVSS0.00639EPSS
Exploits1References2
CVE
CVE
added 2026/06/25 9:41 p.m.27 views

CVE-2025-71338

Flowise is affected by a path traversal vulnerability in the /api/v1/document-store/loader/process endpoint that allows unauthenticated attackers to write arbitrary files to the filesystem by crafting unsanitized fileName parameters with ../ sequences. This can overwrite critical files (e.g., pac...

10CVSS6.7AI score0.00639EPSS
Exploits1References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/25 12:0 a.m.19 views

PT-2026-52616

Name of the Vulnerable Software and Affected Versions Flowise affected versions not specified Description An unauthenticated path traversal issue exists in the '/api/v1/document-store/loader/process' endpoint. This flaw allows attackers to write arbitrary files to the filesystem by using...

10CVSS6.7AI score0.00639EPSS
Exploits1References10
ATTACKERKB
ATTACKERKB
added 2026/04/23 7:48 p.m.10 views

CVE-2026-41277

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Mass Assignment vulnerability in the DocumentStore creation endpoint allows authenticated users to control the primary key id and internal state fields of DocumentStore entities. Because the...

7.6CVSS5.8AI score0.00333EPSS
Exploits1References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/23 12:0 a.m.16 views

PT-2026-34745

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Mass Assignment vulnerability in the DocumentStore creation endpoint allows authenticated users to control the primary key id and internal state fields of DocumentStore entities. Because the...

7.6CVSS5.8AI score0.00333EPSS
Exploits1References2
OSV
OSV
added 2026/04/17 9:34 p.m.25 views

GHSA-3PRP-9GF7-4RXX Flowise: Mass Assignment in DocumentStore Create Endpoint Leads to Cross-Workspace Object Takeover (IDOR)

Summary A Mass Assignment vulnerability in the DocumentStore creation endpoint allows authenticated users to control the primary key id and internal state fields of DocumentStore entities. Because the service uses repository.save with a client-supplied primary key, the POST create endpoint behave...

8.8CVSS5.8AI score0.00333EPSS
Exploits1References3
Github Security Blog
Github Security Blog
added 2026/04/17 9:34 p.m.8 views

Flowise: Mass Assignment in DocumentStore Create Endpoint Leads to Cross-Workspace Object Takeover (IDOR)

Summary A Mass Assignment vulnerability in the DocumentStore creation endpoint allows authenticated users to control the primary key id and internal state fields of DocumentStore entities. Because the service uses repository.save with a client-supplied primary key, the POST create endpoint behave...

8.8CVSS5.8AI score0.00333EPSS
Exploits1References3Affected Software1
Cvelist
Cvelist
added 2025/09/05 8:39 p.m.8 views

CVE-2025-10060 MongoDB may be susceptible to Invariant Failure in Transactions due Upsert Operation

MongoDB Server may allow upsert operations retried within a transaction to violate unique index constraints, potentially causing an invariant failure and server crash during commit. This issue may be triggered by improper WriteUnitOfWork state management. This issue affects MongoDB Server v6.0...

6.5CVSS0.00305EPSS
Exploits0References1
Cvelist
Cvelist
added 2025/08/08 12:0 a.m.11 views

CVE-2025-50468

OpenMetadata =1.4.4 is vulnerable to SQL Injection. An attacker can extract information from the database in function listCount in the DocStoreDAO interface. The entityType parameters can be used to build a SQL query...

0.00297EPSS
Exploits1References3
BDU FSTEC
BDU FSTEC
added 2019/12/17 12:0 a.m.8 views

The vulnerability of the document-oriented MongoDB database management system, related to deficiencies in access control, allows a hacker to execute arbitrary code.

The vulnerability of the document-oriented MongoDB database management system is related to deficiencies in access control. Exploiting this vulnerability allows a malicious actor to execute arbitrary code using a special application...

6.1CVSS7.6AI score0.01011EPSS
Exploits0References3Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2018/06/15 7:3 a.m.16 views

Security Bulletin: IBM Business Process Manager (BPM) document store is susceptible to XXE (XML External Entity) attacks. (CVE-2013-5452)

Summary An XML eXternal Entity XXE vulnerability has been reported for the embedded component used by IBM BPM document store. Vulnerability Details CVEID: CVE-2013-5452 DESCRIPTION: The IBM FileNet Business Process Framework is vulnerable to an XML external entity attack. A remote attacker could...

3.5CVSS0.3AI score0.01036EPSS
Exploits0Affected Software3
Rows per page
Query Builder