40 matches found
Arbitrary Code Injection
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Arbitrary Code Injection via the node-custom-function endpoint when user-supplied JavaScript is executed in a NodeVM sandbox without sufficient route-level authorization. A user can execute...
NPM: Flowise has an MCP Security Bypass that Enables RCE
NPM: Flowise has an MCP Security Bypass that Enables RCE vulnerability discovered by ? in WordPress Npm flowise-components versions = 3.1.1...
Incomplete List of Disallowed Inputs
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs inadequate input validation in the validateCommandFlags and validateArgsForLocalFileAccess functions. An attacker can execute arbitrary commands on the...
Incomplete List of Disallowed Inputs
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the run function of the CSVAgents class when evaluating LLM-generated Python scripts in a pyodide environment without sufficient sandboxing. An attack...
Incomplete List of Disallowed Inputs
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs in the run method of the AirtableAgents class, which evaluates LLM-generated Python scripts in a non-sandboxed environment. An attacker can execute...
Improper Neutralization of Special Elements in Data Query Logic
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Data Query Logic through the GraphCypherQAChain request handling and graph.query execution path in GraphCypherQAChain.ts. An attacker can force...
flowise (>=2.0.0 <=2.2.8) potentially affected by CVE-2026-41274 via flowise-components (=2.2.8)
flowise-components NPM version =2.2.8 is affected by a known vulnerability. The following packages have a transitive dependency on flowise-components and may be impacted: - flowise =2.0.0, =2.2.8 Source cves: CVE-2026-41274 Source advisory: SNYK:JS-FLOWISECOMPONENTS-16111007...
Server-side Request Forgery (SSRF)
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via postCore.ts. An attacker can cause the server to make arbitrary HTTP requests to internal or external systems by injecting malicious prompt templates that...
Server-side Request Forgery (SSRF)
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the secureAxiosRequest and secureFetch functions. An attacker can gain unauthorized access to internal services and potentially exfiltrate sensitive data ...
Server-side Request Forgery (SSRF)
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Server-side Request Forgery SSRF through the getHttpDenyList process in httpSecurity.ts. An attacker can reach internal or otherwise denied HTTP endpoints by supplying requests that rely on t...
Arbitrary File Upload
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Arbitrary File Upload in the createAttachment in Chatflow. An attacker can upload and persistently store malicious JavaScript files on the server by bypassing MIME type validation, which may...
Partial String Comparison
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Partial String Comparison due to the replaceInputsWithConfig logic in packages/server/src/utils/index.ts. An attacker can override flow parameters by supplying a crafted override configuratio...
Arbitrary Code Injection
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Arbitrary Code Injection via the customReadCSVFunc process. An attacker can execute arbitrary code on the server by supplying malicious input that is interpolated and executed without proper...
copilot-studio-datainsight (>=0.0.1 <=0.0.6), flowise (>=1.6.1 <=2.2.8) potentially affected by CVE-2026-41138 via flowise-components (>=1.3.4 <=2.2.8)
flowise-components NPM version =1.3.4, =0.0.1, =1.6.1, =2.2.8 Source cves: CVE-2026-41138 Source advisory: SNYK:JS-FLOWISECOMPONENTS-16110988...
Arbitrary Code Injection
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Arbitrary Code Injection through the pythonCodeValidator and the Python execution paths in AirtableAgent.ts and CSVAgent.ts. An attacker can supply LLM-generated Python code that smuggles in...
Server-side Request Forgery (SSRF)
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via ExecuteFlow.ts. An attacker can cause the server to initiate HTTP requests to internal network addresses, potentially accessing sensitive management...
Server-side Request Forgery (SSRF)
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Server-side Request Forgery SSRF through the URL-fetching tool in ExecuteFlow.ts, APILoader.ts, FireCrawl.ts, SpiderApp.ts, AzureRerank.ts, Jira/core.ts, MCP/core.ts, OpenAPIToolkit.ts, and...
Directory Traversal
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Directory Traversal via the vector store path handling in Faiss.ts and SimpleStore.ts. An attacker can read from or write to unintended filesystem locations by supplying a crafted basePath wh...
flowise (>=1.6.1 <=2.2.8) potentially affected by unknown CVE via flowise-components (>=1.8.6 <=2.2.8)
flowise-components NPM version =1.8.6, =1.6.1, =2.2.8 Source cves: unknown CVE Source advisory: SNYK:JS-FLOWISECOMPONENTS-16115272...
Use of a Broken or Risky Cryptographic Algorithm
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm in the process that handles JWT secret assignment. An attacker can gain unauthorized access and impersonate any user, including administrators...