Lucene search
+L

968 matches found

attackerkb
attackerkb
added 2026/06/30 10:8 p.m.7 views

CVE-2026-56278

Flowise before 3.1.0 affected versions 3.0.13 and earlier uses a weak hardcoded default secret 'flowise' for the express-session middleware when the EXPRESSSESSIONSECRET environment variable is not set packages/server/src/enterprise/middleware/passport/index.ts. Because this default secret is...

9.3CVSS5.8AI score0.0036EPSS
Exploits0References3
cve
cve
added 2026/06/30 10:8 p.m.19 views

CVE-2026-56278

Flowise before 3.1.0 (affected: 3.0.13 and earlier) uses a weak hardcoded default session secret ('flowise') for express-session when EXPRESS_SESSION_SECRET is not set (packages/server/src/enterprise/middleware/passport/index.ts). Because the secret is publicly visible in the source, an attacker ...

9.3CVSS5.8AI score0.0036EPSS
Exploits0References2Affected Software1
cvelist
cvelist
added 2026/06/30 10:8 p.m.31 views

CVE-2026-56278 Flowise - Session Hijacking via Weak Default Express Session Secret

Flowise before 3.1.0 affected versions 3.0.13 and earlier uses a weak hardcoded default secret 'flowise' for the express-session middleware when the EXPRESSSESSIONSECRET environment variable is not set packages/server/src/enterprise/middleware/passport/index.ts. Because this default secret is...

9.3CVSS0.0036EPSS
Exploits0References2
osv
osv
added 2026/06/30 10:8 p.m.3 views

CVE-2026-56277 Flowise - Hardcoded CORS Wildcard in TTS Endpoint

Flowise before 3.1.2 sets Access-Control-Allow-Origin to a hardcoded wildcard on its text-to-speech TTS generation endpoint packages/server/src/controllers/text-to-speech/index.ts, independent of the server's configured CORS policy. This bypasses the server's otherwise restrictive default CORS...

6.9CVSS6AI score0.00136EPSS
Exploits0References4
osv
osv
added 2026/06/30 10:8 p.m.3 views

CVE-2026-56278 Flowise - Session Hijacking via Weak Default Express Session Secret

Flowise before 3.1.0 affected versions 3.0.13 and earlier uses a weak hardcoded default secret 'flowise' for the express-session middleware when the EXPRESSSESSIONSECRET environment variable is not set packages/server/src/enterprise/middleware/passport/index.ts. Because this default secret is...

9.3CVSS6AI score0.0036EPSS
Exploits0References4
cve
cve
added 2026/06/30 10:8 p.m.12 views

CVE-2026-56277

Flowise (pre-3.1.2) exposes a security flaw in its text-to-speech (TTS) endpoint. The endpoint at packages/server/src/controllers/text-to-speech/index.ts sets Access-Control-Allow-Origin to a hardcoded wildcard (*), bypassing the server’s configured CORS policy and enabling cross-origin requests ...

6.9CVSS5.8AI score0.00136EPSS
Exploits0References2Affected Software1
nvd
nvd
added 2026/06/28 2:16 a.m.10 views

CVE-2026-58057

Flowise before 3.1.3 validates Custom MCP stdio environment variables against a denylist using a case-sensitive comparison, so on Windows, where environment names are case-insensitive, supplying 'nodeoptions' bypasses the NODEOPTIONS denylist entry. An authenticated user who can configure a Custo...

5CVSS0.00827EPSS
Exploits3References3
cve
cve
added 2026/06/28 1:32 a.m.35 views

CVE-2026-58057

Flowise before 3.1.3 is affected: a case-sensitive denylist for Custom MCP stdio environment variables allows bypass on Windows (case-insensitive env names). An authenticated user who can configure a Custom MCP node can inject NODE_OPTIONS --require to execute arbitrary code in the Flowise server...

5CVSS6.1AI score0.00827EPSS
Exploits3References3Affected Software1
osv
osv
added 2026/06/28 1:32 a.m.4 views

CVE-2026-58057 Flowise - Custom MCP Environment Variable Denylist Bypass via Case Sensitivity

Flowise before 3.1.3 validates Custom MCP stdio environment variables against a denylist using a case-sensitive comparison, so on Windows, where environment names are case-insensitive, supplying 'nodeoptions' bypasses the NODEOPTIONS denylist entry. An authenticated user who can configure a Custo...

2.3CVSS6.3AI score0.00827EPSS
Exploits3References5
euvd
euvd
added 2026/06/28 1:32 a.m.10 views

EUVD-2026-39977

Flowise before 3.1.3 validates Custom MCP stdio environment variables against a denylist using a case-sensitive comparison, so on Windows, where environment names are case-insensitive, supplying 'nodeoptions' bypasses the NODEOPTIONS denylist entry. An authenticated user who can configure a Custo...

5CVSS6.1AI score0.00827EPSS
Exploits3References3
cvelist
cvelist
added 2026/06/28 1:32 a.m.51 views

CVE-2026-58057 Flowise - Custom MCP Environment Variable Denylist Bypass via Case Sensitivity

Flowise before 3.1.3 validates Custom MCP stdio environment variables against a denylist using a case-sensitive comparison, so on Windows, where environment names are case-insensitive, supplying 'nodeoptions' bypasses the NODEOPTIONS denylist entry. An authenticated user who can configure a Custo...

5CVSS0.00827EPSS
Exploits3References3
ptsecurity
ptsecurity
added 2026/06/28 12:0 a.m.16 views

PT-2026-53089

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.3 Description An authenticated user can execute arbitrary code in the server context by configuring a Custom MCP node. The issue occurs because environment variables are validated against a denylist using a...

5CVSS6.1AI score0.00827EPSS
Exploits3References12
euvd
euvd
added 2026/06/26 12:32 a.m.7 views

EUVD-2025-210340

Flowise before 3.0.6 affected versions 2.2.8 and earlier contains an arbitrary file access vulnerability due to missing validation that the chatflowId and chatId parameters are UUIDs or numbers in file handling operations. By supplying a path-traversal value e.g., '../../../../../tmp' as the...

9.8CVSS6.3AI score0.00895EPSS
Exploits1References5
euvd
euvd
added 2026/06/26 12:32 a.m.7 views

EUVD-2025-210341

Flowise before 3.0.10 affected versions 3.0.7 and earlier fails to invalidate existing sessions and session tokens after a user changes their password. An attacker who already holds an active session, for example via a stolen session token or a device left logged in, remains authenticated as the...

8.6CVSS5.9AI score0.00266EPSS
Exploits1References3
euvd
euvd
added 2026/06/26 12:32 a.m.8 views

EUVD-2025-210342

Flowise before 3.0.6 affected versions 2.2.7-patch.1 and earlier contains an unsandboxed remote code execution vulnerability in the Custom MCP feature, which is designed to execute OS commands such as launching local MCP servers. Because Flowise's authentication and authorization model is minimal...

9.8CVSS6.8AI score0.00757EPSS
Exploits1References3
euvd
euvd
added 2026/06/26 12:32 a.m.8 views

EUVD-2025-210337

Flowise contains an authentication bypass vulnerability in the unprotected /api/v1/account/register endpoint that allows unauthenticated attackers to create user accounts. Remote attackers can exploit this endpoint to register arbitrary accounts and authenticate to the system, gaining full API...

9.3CVSS6AI score0.0046EPSS
Exploits1References3
euvd
euvd
added 2026/06/26 12:32 a.m.8 views

EUVD-2025-210336

Flowise before 3.0.6 contains an arbitrary file read vulnerability in the chatId parameter of the /api/v1/get-upload-file and /api/v1/openai-assistants-file/download endpoints. The chatId value is not validated and is passed to streamStorageFile, where a fallback file-lookup path constructed...

8.7CVSS6AI score0.00346EPSS
Exploits1References3
euvd
euvd
added 2026/06/26 12:32 a.m.8 views

EUVD-2025-210338

Flowise before 3.0.10 contains an unverified password change vulnerability. An authenticated user can change their account password through the account settings Security section without supplying the current password or any additional verification, as the application does not enforce a...

8.7CVSS6AI score0.00327EPSS
Exploits1References3
nvd
nvd
added 2026/06/25 10:16 p.m.9 views

CVE-2025-71336

Flowise before 3.0.6 affected versions 2.2.7-patch.1 and earlier contains an unsandboxed remote code execution vulnerability in the Custom MCP feature, which is designed to execute OS commands such as launching local MCP servers. Because Flowise's authentication and authorization model is minimal...

9.8CVSS0.00757EPSS
Exploits1References2
nvd
nvd
added 2026/06/25 10:16 p.m.8 views

CVE-2025-71333

Flowise through 2.2.4 contains an unauthenticated arbitrary file upload vulnerability in the /api/v1/attachments endpoint when storageType is set to local. Attackers can exploit path traversal in the chatId and chatflowId parameters to upload malicious files to arbitrary directories, potentially...

9.8CVSS0.00611EPSS
Exploits1References2
Rows per page
Query Builder