11 matches found
CVE-2026-30824
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, the NVIDIA NIM router /api/v1/nvidia-nim/ is whitelisted in the global authentication middleware, allowing unauthenticated access to privileged container management and token generati...
CVE-2026-30824 Flowise: Missing Authentication on NVIDIA NIM Endpoints
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, the NVIDIA NIM router /api/v1/nvidia-nim/ is whitelisted in the global authentication middleware, allowing unauthenticated access to privileged container management and token generati...
CVE-2026-30822 Flowise: Mass Assignment in `/api/v1/leads` Endpoint
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, unauthenticated users can inject arbitrary values into internal database fields when creating leads. This issue has been patched in version 3.0.13...
CVE-2026-30822
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, unauthenticated users can inject arbitrary values into internal database fields when creating leads. This issue has been patched in version 3.0.13...
CVE-2026-30821 Flowise: Arbitrary File Upload via MIME Spoofing
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, the /api/v1/attachments/:chatflowId/:chatId endpoint is listed in WHITELISTURLS, allowing unauthenticated access to the file upload API. While the server validates uploads based on th...
CVE-2025-61602
BigBlueButton is an open-source virtual classroom. A denial-of-service DoS vulnerability in versions prior to 3.0.13 allows any authenticated user to crash the chat functionality for all participants in a meeting by sending a malformed reactionEmojiId in the GraphQL mutation...
CVE-2025-61601
BigBlueButton is an open-source virtual classroom. A Denial of Service DoS vulnerability in versions prior to 3.0.13 allows any authenticated user to freeze or crash the entire server by abusing the polling feature's Choices response type. By submitting a malicious payload with a massive array in...
CVE-2025-61602
BigBlueButton (open-source virtual classroom) has a DoS vulnerability in chat that allows an authenticated user to crash the chat for all participants by sending a malformed reactionEmojiId via the GraphQL mutation chatSendMessageReaction in versions prior to 3.0.13. Version 3.0.13 contains a pat...
EUVD-2025-33560
BigBlueButton is an open-source virtual classroom. A denial-of-service DoS vulnerability in versions prior to 3.0.13 allows any authenticated user to crash the chat functionality for all participants in a meeting by sending a malformed reactionEmojiId in the GraphQL mutation...
CVE-2025-61602 BigBlueButton vulnerable to Chat DoS via invalid reactionEmojiId
BigBlueButton is an open-source virtual classroom. A denial-of-service DoS vulnerability in versions prior to 3.0.13 allows any authenticated user to crash the chat functionality for all participants in a meeting by sending a malformed reactionEmojiId in the GraphQL mutation...
EUVD-2025-33564
BigBlueButton is an open-source virtual classroom. A Denial of Service DoS vulnerability in versions prior to 3.0.13 allows any authenticated user to freeze or crash the entire server by abusing the polling feature's Choices response type. By submitting a malicious payload with a massive array in...