Lucene search
K

5 matches found

Snyk
Snyk
added 2026/04/16 9:46 p.m.5 views

Partial String Comparison

Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Partial String Comparison due to the replaceInputsWithConfig logic in packages/server/src/utils/index.ts. An attacker can override flow parameters by supplying a crafted override configuratio...

9.8CVSS5.9AI score0.13789EPSS
Exploits1References2
GithubExploit
GithubExploit
added 2026/04/15 12:47 p.m.242 views

Exploit for Code Injection in Flowiseai Flowise

CVE-2025-59528 — Flowise AI Authenticated Remote Code Executio...

10CVSS6.4AI score0.90183EPSS
Exploits29
OSV
OSV
added 2025/10/06 2:8 p.m.7 views

GHSA-HMGH-466J-FX4C Flowise vulnerable to RCE via Dynamic function constructor injection

Summary User-controlled input flows to an unsafe implementaion of a dynamic Function constructor , allowing a malicious actor to run JS code in the context of the host not sandboxed leading to RCE. Details When creating a new Custom MCP Chatflow in the platform, the MCP Server Config displays a...

9.8CVSS7.8AI score0.1742EPSS
Exploits0References4
NVD
NVD
added 2025/09/22 8:15 p.m.12 views

CVE-2025-59528

Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, Flowise is vulnerable to remote code execution. The CustomMCP node allows users to input configuration settings for connecting to an external MCP server. This node parses the user-provided...

10CVSS0.90183EPSS
Exploits21References8
CVE
CVE
added 2025/09/22 7:54 p.m.242 views

CVE-2025-59528

Flowise 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig string is parsed and passed to the Function() constructor via convertToValidJSONString without validation, allowing an attacker to execute arbitrary JavaScript with Node.js privileges (e.g., ac...

10CVSS7.5AI score0.90183EPSS
In wildExploits21References8Affected Software1
Rows per page
Query Builder