VYPR
Vendor

Flowiseai

Products
1
CVEs
66
Across products
66
Status
Private

Products

1

Recent CVEs

66
View all 66 CVEs →
  • CVE-2026-41274CriApr 23, 2026
    risk 0.64cvss 9.8epss 0.01

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GraphCypherQAChain node forwards user-provided input directly into the Cypher query execution pipeline without proper sanitization. An attacker can inject arbitrary…

  • CVE-2026-41276CriApr 23, 2026
    risk 0.64cvss 9.8epss 0.07

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, this vulnerability allows remote attackers to bypass authentication on affected installations of FlowiseAI Flowise. Authentication is not required to exploit this…

  • CVE-2026-41268CriApr 23, 2026
    risk 0.64cvss 9.8epss 0.14

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise is vulnerable to a critical unauthenticated remote command execution (RCE) vulnerability. It can be exploited via a parameter override bypass using the FILE-STORAGE::…

  • CVE-2026-41265CriApr 23, 2026
    risk 0.64cvss 9.8epss 0.00

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the Airtable_Agents class. The issue results from the lack of proper sandboxing when evaluating an LLM generated python…

  • CVE-2026-41264CriApr 23, 2026
    risk 0.64cvss 9.8epss 0.01

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the CSV_Agents class. The issue results from the lack of proper sandboxing when evaluating an LLM generated python script.…

  • CVE-2026-40933CriApr 21, 2026
    risk 0.64cvss 9.9epss 0.02

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, due to unsafe serialization of stdio commands in the MCP adapter, an authenticated attacker can add an MCP stdio server with an arbitrary command, achieving command…

  • CVE-2025-59434CriSep 22, 2025
    risk 0.62cvss 9.6epss 0.03

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to August 2025 Cloud-Hosted Flowise, an authenticated vulnerability in Flowise Cloud allows any user on the free tier to access sensitive environment variables from other tenants via…

  • CVE-2026-46442CriJun 8, 2026
    risk 0.57cvss 9.9epss 0.01

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, POST /api/v1/node-custom-function lacks route-level authorization, allowing any authenticated user or API key to submit arbitrary JavaScript to the Custom JS Function…

  • CVE-2026-41277HigApr 23, 2026
    risk 0.57cvss 8.8epss 0.00

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Mass Assignment vulnerability in the DocumentStore creation endpoint allows authenticated users to control the primary key (id) and internal state fields of DocumentStore…

  • CVE-2026-41138HigApr 23, 2026
    risk 0.57cvss 8.8epss 0.01

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, there is a remote code execution vulnerability in AirtableAgent.ts caused by lack of input verification when using Pandas. The user’s input is directly applied to the…

  • CVE-2026-41137HigApr 23, 2026
    risk 0.57cvss 8.8epss 0.01

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide a command injection payload that will get interpolated and…

  • CVE-2026-46441CriJun 8, 2026
    risk 0.55cvss 9.6epss 0.00

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the assistant update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties…

  • CVE-2026-42861CriJun 8, 2026
    risk 0.55cvss 9.6epss 0.00

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the variable update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties…

  • CVE-2026-41271HigApr 23, 2026
    risk 0.54cvss 8.3epss 0.00

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) vulnerability exists in FlowiseAI's POST/GET API Chain components that allows unauthenticated attackers to force the server to make…

  • CVE-2026-41273HigApr 23, 2026
    risk 0.53cvss 8.2epss 0.00

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise contains an authentication bypass vulnerability that allows an unauthenticated attacker to obtain OAuth 2.0 access tokens associated with a public chatflow. By…

  • CVE-2026-41267HigApr 23, 2026
    risk 0.53cvss 8.1epss 0.00

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, an improper mass assignment (JSON injection) vulnerability in the account registration endpoint of Flowise Cloud allows unauthenticated attackers to inject server-managed…

  • CVE-2026-46476HigJun 8, 2026
    risk 0.50cvss 8.8epss 0.00

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, CustomTemplate create and update mass-assignment allows cross-workspace template takeover. This issue has been patched in version 3.1.2.

  • CVE-2026-46475HigJun 8, 2026
    risk 0.50cvss 8.8epss 0.00

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, assistant create and update mass-assignment allows cross-workspace assistant takeover. This issue has been patched in version 3.1.2.

  • CVE-2026-46444HigJun 8, 2026
    risk 0.50cvss 8.8epss 0.00

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, all CRUD endpoints for OpenAI Assistants Vector Store have no authentication middleware and the route path /api/v1/openai-assistants-vector-store is not in…

  • CVE-2026-41279HigApr 23, 2026
    risk 0.49cvss 7.5epss 0.00

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the text-to-speech generation endpoint (POST /api/v1/text-to-speech/generate) is whitelisted (no auth) and accepts a credentialId directly in the request body. When called…