26 matches found
CVE-2026-41276
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, this vulnerability allows remote attackers to bypass authentication on affected installations of FlowiseAI Flowise. Authentication is not required to exploit this vulnerability. The specific...
CVE-2026-41276
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, this vulnerability allows remote attackers to bypass authentication on affected installations of FlowiseAI Flowise. Authentication is not required to exploit this vulnerability. The specific...
CVE-2026-41276 Flowise: AccountService resetPassword Authentication Bypass Vulnerability
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, this vulnerability allows remote attackers to bypass authentication on affected installations of FlowiseAI Flowise. Authentication is not required to exploit this vulnerability. The specific...
CVE-2026-41276
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, this vulnerability allows remote attackers to bypass authentication on affected installations of FlowiseAI Flowise. Authentication is not required to exploit this vulnerability. The specific...
EUVD-2026-25295
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, this vulnerability allows remote attackers to bypass authentication on affected installations of FlowiseAI Flowise. Authentication is not required to exploit this vulnerability. The specific...
CVE-2026-41276
Flowise (FlowiseAI Flowise) has a REST-authentication bypass vulnerability in the AccountService.resetPassword flow. Before version 3.1.0, an attacker who knows a user’s email can request a password reset with a null/empty token, bypass the need for a valid reset token, and set the user’s passwor...
PT-2026-34744
Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.0 Description Remote attackers can bypass authentication in Flowise. The issue exists within the resetPassword function of the AccountService class, where the system fails to verify if a password reset token was...
CVE-2026-32103
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the POST /studiocmsapi/dashboard/create-reset-link endpoint allows any authenticated user with admin privileges to generate a password reset token for any other user, including the owner account...
CVE-2026-31881 Runtipi unauthenticated /api/auth/reset-password allows operator account takeover during active reset window
Runtipi is a personal homeserver orchestrator. Prior to 4.8.0, an unauthenticated attacker can reset the operator admin password when a password-reset request is active, resulting in full account takeover. The endpoint POST /api/auth/reset-password is exposed without authentication/authorization...
CVE-2026-31881 Runtipi unauthenticated /api/auth/reset-password allows operator account takeover during active reset window
Runtipi is a personal homeserver orchestrator. Prior to 4.8.0, an unauthenticated attacker can reset the operator admin password when a password-reset request is active, resulting in full account takeover. The endpoint POST /api/auth/reset-password is exposed without authentication/authorization...
CVE-2025-51741
An issue was discovered in Veal98 Echo Open-Source Community System 2.2 thru 2.3 allowing an unauthenticated attacker to cause the server to send email verification messages to arbitrary users via the /sendEmailCodeForResetPwd endpoint potentially causing a denial of service to the server or the...
EUVD-2025-199647
An issue was discovered in Veal98 Echo Open-Source Community System 2.2 thru 2.3 allowing an unauthenticated attacker to cause the server to send email verification messages to arbitrary users via the /sendEmailCodeForResetPwd endpoint potentially causing a denial of service to the server or the...
CVE-2025-51741
An issue was discovered in Veal98 Echo Open-Source Community System 2.2 thru 2.3 allowing an unauthenticated attacker to cause the server to send email verification messages to arbitrary users via the /sendEmailCodeForResetPwd endpoint potentially causing a denial of service to the server or the...
CVE-2025-51741
An issue was discovered in Veal98 Echo Open-Source Community System 2.2 thru 2.3 allowing an unauthenticated attacker to cause the server to send email verification messages to arbitrary users via the /sendEmailCodeForResetPwd endpoint potentially causing a denial of service to the server or the...
Echo 安全漏洞
Echo is an open source community system with no front-end or back-end separation by the individual developers of Veal98. A security vulnerability exists in Echo versions 2.2 through 2.3 that originates in the sendEmailCodeForResetPwd endpoint that allows unauthenticated attackers to send...
EUVD-2025-25212
Malicious code in bioql PyPI...
Flowise Cloud and Local Deployments have Unauthenticated Password Reset Token Disclosure that Leads to Account Takeover
Summary The forgot-password endpoint in Flowise returns sensitive information including a valid password reset tempToken without authentication or verification. This enables any attacker to generate a reset token for arbitrary users and directly reset their password, leading to a complete account...
CVE-2025-51543
An issue was discovered in Cicool builder 3.4.4 allowing attackers to reset the administrator's password via the /administrator/auth/resetpassword endpoint...
CVE-2025-51543
An issue was discovered in Cicool builder 3.4.4 allowing attackers to reset the administrator's password via the /administrator/auth/resetpassword endpoint...
CVE-2025-51543
An issue was discovered in Cicool builder 3.4.4 allowing attackers to reset the administrator's password via the /administrator/auth/resetpassword endpoint...