Lucene search
K

13 matches found

Cvelist
Cvelist
added 2026/03/07 5:8 a.m.105 views

CVE-2026-30822 Flowise: Mass Assignment in `/api/v1/leads` Endpoint

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, unauthenticated users can inject arbitrary values into internal database fields when creating leads. This issue has been patched in version 3.0.13...

7.7CVSS0.12902EPSS
Exploits1References2
OSV
OSV
added 2026/03/07 5:8 a.m.4 views

CVE-2026-30822 Flowise: Mass Assignment in `/api/v1/leads` Endpoint

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, unauthenticated users can inject arbitrary values into internal database fields when creating leads. This issue has been patched in version 3.0.13...

7.7CVSS5.8AI score0.12902EPSS
Exploits1References4
CVE
CVE
added 2026/03/07 5:8 a.m.22 views

CVE-2026-30822

Flowise CVE-2026-30822 describes a mass-assignment vulnerability in the public /api/v1/leads endpoint. Before 3.0.13, unauthenticated users can inject arbitrary values into internal fields (id, createdDate, chatId) via Object.assign() when creating leads, bypassing auto-generation and validation....

7.7CVSS7.1AI score0.12902EPSS
Exploits1References2Affected Software1
Snyk
Snyk
added 2026/03/06 10:19 p.m.5 views

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the Object.assign function. An attacker can manipulate internal entity fields such as id, createdDate, and chatId by...

9.2CVSS5.8AI score0.12902EPSS
Exploits1References2
OSV
OSV
added 2026/03/06 10:19 p.m.5 views

GHSA-MQ4R-H2GH-QV7X Flowise Allows Mass Assignment in `/api/v1/leads` Endpoint

Summary A Mass Assignment vulnerability in the /api/v1/leads endpoint allows any unauthenticated user to control internal entity fields id, createdDate, chatId by including them in the request body. The endpoint uses Object.assign to copy all properties from the request body to the Lead entity...

7.7CVSS5.9AI score0.12902EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/03/06 10:19 p.m.7 views

Flowise Allows Mass Assignment in `/api/v1/leads` Endpoint

Summary A Mass Assignment vulnerability in the /api/v1/leads endpoint allows any unauthenticated user to control internal entity fields id, createdDate, chatId by including them in the request body. The endpoint uses Object.assign to copy all properties from the request body to the Lead entity...

7.7CVSS5.9AI score0.12902EPSS
Exploits1References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/06 12:0 a.m.7 views

PT-2026-23788

Flowise and Affected Versions Flowise versions prior to 3.0.13 Description Flowise is a drag & drop user interface to build a customized large language model flow. A mass assignment issue exists in the /api/v1/leads endpoint, allowing unauthenticated users to control internal entity fields id,...

7.7CVSS7.2AI score0.12902EPSS
Exploits1References5
EUVD
EUVD
added 2025/10/03 8:7 p.m.3 views

EUVD-2025-31561

Malicious code in bioql PyPI...

6.1CVSS6.6AI score0.00221EPSS
Exploits0References2
NVD
NVD
added 2025/09/29 9:15 a.m.7 views

CVE-2025-10345

HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request in the parameters 'name' and 'address' at the endpoint 'admin/leads/lead'...

6.1CVSS0.00221EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2025/09/29 8:42 a.m.2 views

CVE-2025-10345 HTML injection in Perfex CRM

HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request in the parameters 'name' and 'address' at the endpoint 'admin/leads/lead'...

5.3CVSS6.7AI score0.00221EPSS
Exploits0References1
CVE
CVE
added 2025/09/29 8:42 a.m.14 views

CVE-2025-10345

CVE-2025-10345 affects Perfex CRM in version 3.2.1. The issue is a stored HTML injection caused by insufficient validation of user input in the POST request to /admin/leads/lead, with malicious HTML supplied via the name and address parameters. Impact is described as stored HTML injection; exploi...

6.1CVSS6.7AI score0.00221EPSS
Exploits0References1Affected Software1
OSV
OSV
added 2024/08/12 1:38 p.m.3 views

CVE-2024-7643

A vulnerability was found in SourceCodester Leads Manager Tool 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /endpoint/delete-leads.php of the component Delete Leads Handler. The manipulation of the argument leads leads to sql injection. The atta...

9.8CVSS5.7AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2024/08/09 12:0 a.m.5 views

PT-2024-38475 · Sourcecodester · Sourcecodester Leads Manager Tool

Name of the Vulnerable Software and Affected Versions: SourceCodester Leads Manager Tool version 1.0 Description: A critical issue was found in the Delete Leads Handler component, specifically in the file /endpoint/delete-leads.php. The leads argument is vulnerable to SQL injection, which can be...

9.8CVSS6.8AI score0.00891EPSS
Exploits1References5
Rows per page
Query Builder