CVE-2025-71334

Flowise before 3.0.6 (affected versions 2.2.8 and earlier) contains an arbitrary file access vulnerability due to missing validation that chatflowId and chatId are UUIDs or numbers in file handling. An attacker can use path traversal (e.g., ../../../../../tmp) via /api/v1/chatflows (addBase64File...