Lucene search
K

6 matches found

NVD
NVD
added 2026/06/08 4:16 p.m.15 views

CVE-2026-42861

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the variable update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId,...

9.6CVSS0.00254EPSS
Exploits1References2
CVE
CVE
added 2026/06/08 3:30 p.m.31 views

CVE-2026-46441

CVE-2026-46441 affects Flowise versions prior to 3.1.2. A mass assignment flaw allows authenticated users to modify server-controlled fields (workspaceId, createdDate, updatedDate) via PUT /api/v1/assistants/{assistantId}, enabling cross-workspace reassignment of assistants and breaking tenant is...

9.6CVSS5.5AI score0.00274EPSS
Exploits1References2Affected Software1
NVD
NVD
added 2026/05/22 7:17 p.m.10 views

CVE-2026-39968

TypeBot is a chatbot builder tool. In versions 3.15.2 and prior, the fix for GHSA-4xc5-wfwc-jw47 "Credential Theft via Client-Side Script Execution and API Authorization Bypass" is incomplete. While the builder's getCredentials tRPC endpoint was patched with workspace membership checks, the...

7.1CVSS0.00271EPSS
Exploits0References3
CVE
CVE
added 2026/05/22 6:26 p.m.35 views

CVE-2026-39968

TypeBot (builder) vulnerable in versions ≤ 3.15.2: the bot-engine’s getCredentials() uses a faulty ownership check and accepts a client-controlled, even empty, workspaceId in the preview endpoint, allowing cross-workspace credential access. This enables credential exfiltration and potential abuse...

7.1CVSS5.8AI score0.00271EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/05/22 6:26 p.m.6 views

CVE-2026-39968

TypeBot is a chatbot builder tool. In versions 3.15.2 and prior, the fix for GHSA-4xc5-wfwc-jw47 "Credential Theft via Client-Side Script Execution and API Authorization Bypass" is incomplete. While the builder's getCredentials tRPC endpoint was patched with workspace membership checks, the...

7.1CVSS5.8AI score0.00271EPSS
Exploits0References4Affected Software1
Snyk
Snyk
added 2026/05/14 4:19 p.m.11 views

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes in the Object.assign process. An attacker can gain unauthorized access to and control over assistants across different workspac...

7.7CVSS5.8AI score0.00335EPSS
Exploits0References2
Rows per page
Query Builder