EUVD-2026-25277

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide a command injection payload that will get interpolated and executed by the...

Incomplete List of Disallowed Inputs

Overview flowise-ui is a Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs in the run method of the AirtableAgents class, which evaluates LLM-generated Python scripts in a non-sandboxed environment. An attacker can execute arbitrary code on the server by...

Arbitrary Code Injection

Overview flowise-ui is a Affected versions of this package are vulnerable to Arbitrary Code Injection via the customReadCSVFunc process. An attacker can execute arbitrary code on the server by supplying malicious input that is interpolated and executed without proper sanitization. This is only...

Use of a Broken or Risky Cryptographic Algorithm

Overview flowise-ui is a Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm in the process that handles JWT secret assignment. An attacker can gain unauthorized access and impersonate any user, including administrators, by crafting valid JWTs usin...

Server-side Request Forgery (SSRF)

Overview flowise-ui is a Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the HTTP Node as it is used in AgentFlow and Chatflow. An attacker can access internal network resources, retrieve sensitive information, or modify and delete data by supplying crafte...

flowise (>=1.6.1 <=2.2.8), flowise-birat (>=1.0.0 <=1.2.5) +2 more potentially affected by unknown CVE via flowise-ui (>=1.8.4 <=2.2.8)

flowise-ui NPM version =1.8.4, =1.6.1, =1.0.0, =0.0.1, =0.0.2, =0.0.4 Source cves: unknown CVE Source advisory: OSV:GHSA-FJH6-8679-9PCH...

Unverified Password Change

Overview flowise-ui is a Affected versions of this package are vulnerable to Unverified Password Change via the profile update process. An attacker can gain unauthorized access to user accounts by changing the authentication password without additional verification steps. Note: This is only...

flowise (>=1.6.1 <=2.2.8), flowise-birat (>=1.0.0 <=1.2.5) +2 more potentially affected by unknown CVE via flowise-ui (>=1.8.4 <=2.2.8)

flowise-ui NPM version =1.8.4, =1.6.1, =1.0.0, =0.0.1, =0.0.2, =0.0.4 Source cves: unknown CVE Source advisory: OSV:GHSA-X39M-3393-3QP4...

Insufficient Session Expiration

Overview flowise-ui is a Affected versions of this package are vulnerable to Insufficient Session Expiration due to the failure to invalidate active session tokens after a password change. An attacker can maintain unauthorized access by continuing to use a previously established session even afte...