VYPR

npm package

flowise

pkg:npm/flowise

Vulnerabilities (63)

  • CVE-2026-46480HigJun 8, 2026
    affected < 3.1.2fixed 3.1.2

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, evaluator create and update mass-assignment allows cross-workspace evaluator takeover. This issue has been patched in version 3.1.2.

  • CVE-2026-46479HigJun 8, 2026
    affected < 3.1.2fixed 3.1.2

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, evaluation create and update mass-assignment allows cross-workspace evaluation takeover. This issue has been patched in version 3.1.2.

  • CVE-2026-46478HigJun 8, 2026
    affected < 3.1.2fixed 3.1.2

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, DatasetRow create and update mass-assignment allows cross-workspace row takeover. This issue has been patched in version 3.1.2.

  • CVE-2026-46477HigJun 8, 2026
    affected < 3.1.2fixed 3.1.2

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, dataset create and update mass-assignment allows cross-workspace dataset takeover. This issue has been patched in version 3.1.2.

  • CVE-2026-46476HigJun 8, 2026
    affected < 3.1.2fixed 3.1.2

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, CustomTemplate create and update mass-assignment allows cross-workspace template takeover. This issue has been patched in version 3.1.2.

  • CVE-2026-46475HigJun 8, 2026
    affected < 3.1.2fixed 3.1.2

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, assistant create and update mass-assignment allows cross-workspace assistant takeover. This issue has been patched in version 3.1.2.

  • CVE-2026-46444HigJun 8, 2026
    affected < 3.1.2fixed 3.1.2

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, all CRUD endpoints for OpenAI Assistants Vector Store have no authentication middleware and the route path /api/v1/openai-assistants-vector-store is not in WHITELIST_U

  • CVE-2026-46443MedJun 8, 2026
    affected < 3.1.2fixed 3.1.2

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, when credentials are fetched with a credentialName filter parameter, the encryptedData field is not stripped from the response. The code properly omits encryptedData w

  • CVE-2026-46442CriJun 8, 2026
    affected < 3.1.2fixed 3.1.2

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, POST /api/v1/node-custom-function lacks route-level authorization, allowing any authenticated user or API key to submit arbitrary JavaScript to the Custom JS Function

  • CVE-2026-46441CriJun 8, 2026
    affected < 3.1.2fixed 3.1.2

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the assistant update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties su

  • CVE-2026-46440CriJun 8, 2026
    affected < 3.1.2fixed 3.1.2

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, the checkBasicAuth endpoint validates credentials in plaintext without rate limiting and with direct comparison. This issue has been patched in version 3.1.2.

  • CVE-2026-42863HigJun 8, 2026
    affected < 3.1.2fixed 3.1.2

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the chatflow update endpoint of FlowiseAI. The endpoint allows clients to modify server-controlled properties such as deploye

  • CVE-2026-42862MedJun 8, 2026
    affected < 3.1.2fixed 3.1.2

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the tool update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as

  • CVE-2026-42861CriJun 8, 2026
    affected < 3.1.2fixed 3.1.2

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the variable update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties suc

  • CVE-2026-43995CriMay 11, 2026
    affected < 3.1.0fixed 3.1.0

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, multiple tool implementations directly import and invoke raw HTTP clients (node-fetch, axios) instead of using the secured wrapper. These tools include (1) OpenAPIToolkit/Open

  • CVE-2026-8026LowMay 6, 2026
    affected <= 3.0.12

    A security flaw has been discovered in FlowiseAI Flowise up to 3.0.12. Affected is the function Login of the file packages/server/src/enterprise/services/account.service.ts of the component API Response Handler. The manipulation results in information disclosure. The attack can b

  • CVE-2026-41274CriApr 23, 2026
    affected < 3.1.0fixed 3.1.0

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GraphCypherQAChain node forwards user-provided input directly into the Cypher query execution pipeline without proper sanitization. An attacker can inject arbitrary Cypher

  • CVE-2026-41279HigApr 23, 2026
    affected < 3.1.0fixed 3.1.0

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the text-to-speech generation endpoint (POST /api/v1/text-to-speech/generate) is whitelisted (no auth) and accepts a credentialId directly in the request body. When called wit

  • CVE-2026-41278HigApr 23, 2026
    affected < 3.1.0fixed 3.1.0

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GET /api/v1/public-chatflows/:id endpoint returns the full chatflow object without sanitization for public chatflows. Docker validation revealed this is worse than initial

  • CVE-2026-41277HigApr 23, 2026
    affected < 3.1.0fixed 3.1.0

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Mass Assignment vulnerability in the DocumentStore creation endpoint allows authenticated users to control the primary key (id) and internal state fields of DocumentStore en

Page 1 of 4