968 matches found
Path Traversal
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Path Traversal via improper validation of the user-supplied chatflowid identifier in the addBase64FilesToStorage function. An attacker can access or modify arbitrary files, execute code, or...
Flowise has arbitrary file access due to missing chat flow id validation
Summary Missing chat flow id validation allows an attacker to access arbitrary file. Details Commit https://github.com/FlowiseAI/Flowise/commit/8bd3de41533de78e4ef6c980e5704a1f9cb7ae6f and https://github.com/FlowiseAI/Flowise/commit/c2b830f279e454e8b758da441016b2234f220ac7 added check for filenam...
Directory Traversal
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Directory Traversal via improper validation of the chatId parameter in the file access process. An attacker can access sensitive files on the server filesystem, including database files...
Flowise has an Arbitrary File Read
Summary An arbitrary file read vulnerability in the chatId parameter supplied to both the /api/v1/get-upload-file and /api/v1/openai-assistants-file/download endpoints allows unauthenticated users to read unintended files on the local filesystem. In the default Flowise configuration this allows...
Arbitrary Code Injection
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Arbitrary Code Injection via the convertToValidJSONString function. An attacker can execute arbitrary JavaScript code with full server privileges by supplying malicious input to the...
flowise (>=2.0.0 <=2.2.8) potentially affected by CVE-2025-59528 via flowise-components (=2.2.8)
flowise-components NPM version =2.2.8 is affected by a known vulnerability. The following packages have a transitive dependency on flowise-components and may be impacted: - flowise =2.0.0, =2.2.8 Source cves: CVE-2025-59528 Source advisory: SNYK:JS-FLOWISECOMPONENTS-12818376...
Server-side Request Forgery (SSRF)
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the fetch function in the fetch-links feature when user-supplied URLs are not validated. An attacker can access internal network resources and sensitive...
flowise (>=1.6.1 <=2.2.8) potentially affected by CVE-2025-59527 via flowise-components (>=1.8.6 <=2.2.8)
flowise-components NPM version =1.8.6, =1.6.1, =2.2.8 Source cves: CVE-2025-59527 Source advisory: SNYK:JS-FLOWISECOMPONENTS-12840076...
FlowiseAI/Flowise has Server-Side Request Forgery (SSRF) vulnerability
Summary --- A Server-Side Request Forgery SSRF vulnerability was discovered in the /api/v1/fetch-links endpoint of the Flowise application. This vulnerability allows an attacker to use the Flowise server as a proxy to access internal network web services and explore their link structures. The...
GHSA-HR92-4Q35-4J3M FlowiseAI/Flowise has Server-Side Request Forgery (SSRF) vulnerability
Summary --- A Server-Side Request Forgery SSRF vulnerability was discovered in the /api/v1/fetch-links endpoint of the Flowise application. This vulnerability allows an attacker to use the Flowise server as a proxy to access internal network web services and explore their link structures. The...
flowise (>=1.6.1 <=2.2.8) potentially affected by unknown CVE via flowise-components (>=1.8.6 <=2.2.8)
flowise-components NPM version =1.8.6, =1.6.1, =2.2.8 Source cves: unknown CVE Source advisory: SNYK:JS-FLOWISECOMPONENTS-12818395...
Arbitrary Code Injection
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Arbitrary Code Injection via the supabaseRPCFilter parameter. An attacker with administrative privileges can execute arbitrary server-side code, access sensitive environment variables, and...
PT-2025-39075
Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.0.6 Description Flowise is a drag-and-drop user interface for building customized large language model flows. A critical issue exists in the CustomMCP node, which allows users to input configuration settings for...
PT-2025-39072
Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.0.6 Flowise version 3.0.5 Description A Server-Side Request Forgery SSRF vulnerability exists in the /api/v1/fetch-links endpoint of the Flowise application. This allows an attacker to use the Flowise server as a...
CVE-2025-58434
Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5 and earlier, the forgot-password endpoint in Flowise returns sensitive information including a valid password reset tempToken without authentication or verification. This enables any attacker...
Missing Authentication for Critical Function
Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the forgot-password endpoint, which returns a valid password reset tempToken and sensitive user details without authentication or verification. An attacker c...
Flowise Cloud and Local Deployments have Unauthenticated Password Reset Token Disclosure that Leads to Account Takeover
Summary The forgot-password endpoint in Flowise returns sensitive information including a valid password reset tempToken without authentication or verification. This enables any attacker to generate a reset token for arbitrary users and directly reset their password, leading to a complete account...
GHSA-WGPV-6J63-X5PH Flowise Cloud and Local Deployments have Unauthenticated Password Reset Token Disclosure that Leads to Account Takeover
Summary The forgot-password endpoint in Flowise returns sensitive information including a valid password reset tempToken without authentication or verification. This enables any attacker to generate a reset token for arbitrary users and directly reset their password, leading to a complete account...
CVE-2025-58434
Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5 and earlier, the forgot-password endpoint in Flowise returns sensitive information including a valid password reset tempToken without authentication or verification. This enables any attacker...
CVE-2025-58434 Flowise Cloud and Local Deployments have Unauthenticated Password Reset Token Disclosure that Leads to Account Takeover
Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5 and earlier, the forgot-password endpoint in Flowise returns sensitive information including a valid password reset tempToken without authentication or verification. This enables any attacker...