Lucene search
+L

968 matches found

snyk
snyk
added 2025/09/15 8:11 p.m.3 views

Path Traversal

Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Path Traversal via improper validation of the user-supplied chatflowid identifier in the addBase64FilesToStorage function. An attacker can access or modify arbitrary files, execute code, or...

9.1CVSS7.5AI score
Exploits0References2
github
github
added 2025/09/15 8:11 p.m.9 views

Flowise has arbitrary file access due to missing chat flow id validation

Summary Missing chat flow id validation allows an attacker to access arbitrary file. Details Commit https://github.com/FlowiseAI/Flowise/commit/8bd3de41533de78e4ef6c980e5704a1f9cb7ae6f and https://github.com/FlowiseAI/Flowise/commit/c2b830f279e454e8b758da441016b2234f220ac7 added check for filenam...

7AI score
Exploits0References4Affected Software1
snyk
snyk
added 2025/09/15 8:0 p.m.2 views

Directory Traversal

Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Directory Traversal via improper validation of the chatId parameter in the file access process. An attacker can access sensitive files on the server filesystem, including database files...

9.1CVSS7.8AI score
Exploits0References2
github
github
added 2025/09/15 8:0 p.m.13 views

Flowise has an Arbitrary File Read

Summary An arbitrary file read vulnerability in the chatId parameter supplied to both the /api/v1/get-upload-file and /api/v1/openai-assistants-file/download endpoints allows unauthenticated users to read unintended files on the local filesystem. In the default Flowise configuration this allows...

6.9AI score
Exploits0References2Affected Software1
snyk
snyk
added 2025/09/15 7:59 p.m.5 views

Arbitrary Code Injection

Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Arbitrary Code Injection via the convertToValidJSONString function. An attacker can execute arbitrary JavaScript code with full server privileges by supplying malicious input to the...

10CVSS7.7AI score0.90183EPSS
Exploits21References2
vulnersosv
vulnersosv
added 2025/09/15 7:59 p.m.7 views

flowise (>=2.0.0 <=2.2.8) potentially affected by CVE-2025-59528 via flowise-components (=2.2.8)

flowise-components NPM version =2.2.8 is affected by a known vulnerability. The following packages have a transitive dependency on flowise-components and may be impacted: - flowise =2.0.0, =2.2.8 Source cves: CVE-2025-59528 Source advisory: SNYK:JS-FLOWISECOMPONENTS-12818376...

10CVSS7.3AI score0.90183EPSS
Exploits21
snyk
snyk
added 2025/09/15 7:53 p.m.3 views

Server-side Request Forgery (SSRF)

Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the fetch function in the fetch-links feature when user-supplied URLs are not validated. An attacker can access internal network resources and sensitive...

8.7CVSS6.6AI score0.04666EPSS
Exploits1References2
vulnersosv
vulnersosv
added 2025/09/15 7:53 p.m.17 views

flowise (>=1.6.1 <=2.2.8) potentially affected by CVE-2025-59527 via flowise-components (>=1.8.6 <=2.2.8)

flowise-components NPM version =1.8.6, =1.6.1, =2.2.8 Source cves: CVE-2025-59527 Source advisory: SNYK:JS-FLOWISECOMPONENTS-12840076...

7.5CVSS5.8AI score0.04666EPSS
Exploits1
github
github
added 2025/09/15 7:53 p.m.6 views

FlowiseAI/Flowise has Server-Side Request Forgery (SSRF) vulnerability

Summary --- A Server-Side Request Forgery SSRF vulnerability was discovered in the /api/v1/fetch-links endpoint of the Flowise application. This vulnerability allows an attacker to use the Flowise server as a proxy to access internal network web services and explore their link structures. The...

7.5CVSS6.9AI score0.04666EPSS
Exploits1References7Affected Software1
osv
osv
added 2025/09/15 7:53 p.m.3 views

GHSA-HR92-4Q35-4J3M FlowiseAI/Flowise has Server-Side Request Forgery (SSRF) vulnerability

Summary --- A Server-Side Request Forgery SSRF vulnerability was discovered in the /api/v1/fetch-links endpoint of the Flowise application. This vulnerability allows an attacker to use the Flowise server as a proxy to access internal network web services and explore their link structures. The...

7.5CVSS6.9AI score0.04666EPSS
Exploits1References7
vulnersosv
vulnersosv
added 2025/09/15 7:51 p.m.13 views

flowise (>=1.6.1 <=2.2.8) potentially affected by unknown CVE via flowise-components (>=1.8.6 <=2.2.8)

flowise-components NPM version =1.8.6, =1.6.1, =2.2.8 Source cves: unknown CVE Source advisory: SNYK:JS-FLOWISECOMPONENTS-12818395...

5.8AI score
Exploits0
snyk
snyk
added 2025/09/15 7:51 p.m.3 views

Arbitrary Code Injection

Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Arbitrary Code Injection via the supabaseRPCFilter parameter. An attacker with administrative privileges can execute arbitrary server-side code, access sensitive environment variables, and...

9.1CVSS7.8AI score
Exploits0References2
ptsecurity
ptsecurity
added 2025/09/15 12:0 a.m.8 views

PT-2025-39075

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.0.6 Description Flowise is a drag-and-drop user interface for building customized large language model flows. A critical issue exists in the CustomMCP node, which allows users to input configuration settings for...

10CVSS7.8AI score0.90183EPSS
Exploits21References88
ptsecurity
ptsecurity
added 2025/09/15 12:0 a.m.5 views

PT-2025-39072

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.0.6 Flowise version 3.0.5 Description A Server-Side Request Forgery SSRF vulnerability exists in the /api/v1/fetch-links endpoint of the Flowise application. This allows an attacker to use the Flowise server as a...

7.5CVSS6.4AI score0.04666EPSS
Exploits1References12
redhatcve
redhatcve
added 2025/09/14 6:29 p.m.4 views

CVE-2025-58434

Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5 and earlier, the forgot-password endpoint in Flowise returns sensitive information including a valid password reset tempToken without authentication or verification. This enables any attacker...

9.8CVSS7AI score0.50118EPSS
Exploits14References1
snyk
snyk
added 2025/09/12 8:2 p.m.4 views

Missing Authentication for Critical Function

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the forgot-password endpoint, which returns a valid password reset tempToken and sensitive user details without authentication or verification. An attacker c...

9.8CVSS7.3AI score0.50118EPSS
Exploits14References2
github
github
added 2025/09/12 8:2 p.m.25 views

Flowise Cloud and Local Deployments have Unauthenticated Password Reset Token Disclosure that Leads to Account Takeover

Summary The forgot-password endpoint in Flowise returns sensitive information including a valid password reset tempToken without authentication or verification. This enables any attacker to generate a reset token for arbitrary users and directly reset their password, leading to a complete account...

9.8CVSS7.2AI score0.50118EPSS
Exploits14References4Affected Software1
osv
osv
added 2025/09/12 8:2 p.m.3 views

GHSA-WGPV-6J63-X5PH Flowise Cloud and Local Deployments have Unauthenticated Password Reset Token Disclosure that Leads to Account Takeover

Summary The forgot-password endpoint in Flowise returns sensitive information including a valid password reset tempToken without authentication or verification. This enables any attacker to generate a reset token for arbitrary users and directly reset their password, leading to a complete account...

9.8CVSS7.2AI score0.50118EPSS
Exploits14References4
nvd
nvd
added 2025/09/12 6:15 p.m.18 views

CVE-2025-58434

Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5 and earlier, the forgot-password endpoint in Flowise returns sensitive information including a valid password reset tempToken without authentication or verification. This enables any attacker...

9.8CVSS0.50118EPSS
Exploits14References2
vulnrichment
vulnrichment
added 2025/09/12 5:37 p.m.6 views

CVE-2025-58434 Flowise Cloud and Local Deployments have Unauthenticated Password Reset Token Disclosure that Leads to Account Takeover

Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5 and earlier, the forgot-password endpoint in Flowise returns sensitive information including a valid password reset tempToken without authentication or verification. This enables any attacker...

9.8CVSS6.7AI score0.50118EPSS
Exploits14References2
Rows per page
Query Builder