Vendor CVEs
Flowiseai
All CVEs
66 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-30822 | 0.00 | — | 0.13 | Mar 7, 2026 | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, unauthenticated users can inject arbitrary values into internal database fields when creating leads. This issue has been patched in version 3.0.13. | |||
| CVE-2026-30821 | 0.00 | — | 0.18 | Mar 7, 2026 | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, the /api/v1/attachments/:chatflowId/:chatId endpoint is listed in WHITELIST_URLS, allowing unauthenticated access to the file upload API. While the server validates… | |||
| CVE-2026-30820 | 0.00 | — | 0.00 | Mar 7, 2026 | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, Flowise trusts any HTTP client that sets the header x-request-from: internal, allowing an authenticated tenant session to bypass all /api/v1/** authorization checks.… | |||
| CVE-2025-34267 | 0.00 | — | 0.06 | Oct 14, 2025 | Flowise v3.0.1 < 3.0.8 and all versions after with 'ALLOW_BUILTIN_DEP' enabled contain an authenticated remote code execution vulnerability and node VM sandbox escape due to insecure use of integrated modules (Puppeteer and Playwright) within the nodevm execution environment. An… | |||
| CVE-2025-61913 | 0.00 | — | 0.12 | Oct 8, 2025 | Flowise is a drag & drop user interface to build a customized large language model flow. In versions prior to 3.0.8, WriteFileTool and ReadFileTool in Flowise do not restrict file path access, allowing authenticated attackers to exploit this vulnerability to read and write… | |||
| CVE-2025-61687 | 0.00 | — | 0.10 | Oct 6, 2025 | Flowise is a drag & drop user interface to build a customized large language model flow. A file upload vulnerability in version 3.0.7 of FlowiseAI allows authenticated users to upload arbitrary files without proper validation. This enables attackers to persistently store… | |||
| CVE-2025-50538 | 0.00 | — | 0.13 | Oct 6, 2025 | Flowise before 3.0.5 allows XSS via an IFRAME element when an admin views the chat log. | |||
| CVE-2025-29192 | 0.00 | — | 0.00 | Oct 6, 2025 | Flowise before 3.0.5 allows XSS via a FORM element and an INPUT element when an admin views the chat log. | |||
| CVE-2025-59527 | 0.00 | — | 0.05 | Sep 22, 2025 | Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, a Server-Side Request Forgery (SSRF) vulnerability was discovered in the /api/v1/fetch-links endpoint of the Flowise application. This vulnerability allows an attacker to… | |||
| CVE-2025-58434 | 0.00 | — | 0.50 | Sep 12, 2025 | Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5 and earlier, the `forgot-password` endpoint in Flowise returns sensitive information including a valid password reset `tempToken` without authentication or verification.… | |||
| CVE-2024-8182 | 0.00 | — | 0.14 | Aug 27, 2024 | An Unauthenticated Denial of Service (DoS) vulnerability exists in Flowise version 1.8.2 leading to a complete crash of the instance running a vulnerable version due to improper handling of user supplied input to the “/api/v1/get-upload-file” api endpoint. | |||
| CVE-2024-37146 | 0.00 | — | 0.00 | Jul 1, 2024 | Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the `/api/v1/credentials/id` endpoint. If the default configuration is used (unauthenticated), an… | |||
| CVE-2024-37145 | 0.00 | — | 0.00 | Jul 1, 2024 | Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the `/api/v1/chatflows-streaming/id` endpoint. If the default configuration is used (unauthenticated),… | |||
| CVE-2024-36423 | 0.00 | — | 0.00 | Jul 1, 2024 | Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the `/api/v1/public-chatflows/id` endpoint. If the default configuration is used (unauthenticated), an… | |||
| CVE-2024-36422 | 0.00 | — | 0.00 | Jul 1, 2024 | Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the `api/v1/chatflows/id` endpoint. If the default configuration is used (unauthenticated), an attacker… | |||
| CVE-2024-36421 | 0.00 | — | 0.09 | Jul 1, 2024 | Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, A CORS misconfiguration sets the Access-Control-Allow-Origin header to all, allowing arbitrary origins to connect to the website. In the default configuration… |
- CVE-2026-30822Mar 7, 2026risk 0.00cvss —epss 0.13
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, unauthenticated users can inject arbitrary values into internal database fields when creating leads. This issue has been patched in version 3.0.13.
- CVE-2026-30821Mar 7, 2026risk 0.00cvss —epss 0.18
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, the /api/v1/attachments/:chatflowId/:chatId endpoint is listed in WHITELIST_URLS, allowing unauthenticated access to the file upload API. While the server validates…
- CVE-2026-30820Mar 7, 2026risk 0.00cvss —epss 0.00
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, Flowise trusts any HTTP client that sets the header x-request-from: internal, allowing an authenticated tenant session to bypass all /api/v1/** authorization checks.…
- CVE-2025-34267Oct 14, 2025risk 0.00cvss —epss 0.06
Flowise v3.0.1 < 3.0.8 and all versions after with 'ALLOW_BUILTIN_DEP' enabled contain an authenticated remote code execution vulnerability and node VM sandbox escape due to insecure use of integrated modules (Puppeteer and Playwright) within the nodevm execution environment. An…
- CVE-2025-61913Oct 8, 2025risk 0.00cvss —epss 0.12
Flowise is a drag & drop user interface to build a customized large language model flow. In versions prior to 3.0.8, WriteFileTool and ReadFileTool in Flowise do not restrict file path access, allowing authenticated attackers to exploit this vulnerability to read and write…
- CVE-2025-61687Oct 6, 2025risk 0.00cvss —epss 0.10
Flowise is a drag & drop user interface to build a customized large language model flow. A file upload vulnerability in version 3.0.7 of FlowiseAI allows authenticated users to upload arbitrary files without proper validation. This enables attackers to persistently store…
- CVE-2025-50538Oct 6, 2025risk 0.00cvss —epss 0.13
Flowise before 3.0.5 allows XSS via an IFRAME element when an admin views the chat log.
- CVE-2025-29192Oct 6, 2025risk 0.00cvss —epss 0.00
Flowise before 3.0.5 allows XSS via a FORM element and an INPUT element when an admin views the chat log.
- CVE-2025-59527Sep 22, 2025risk 0.00cvss —epss 0.05
Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, a Server-Side Request Forgery (SSRF) vulnerability was discovered in the /api/v1/fetch-links endpoint of the Flowise application. This vulnerability allows an attacker to…
- CVE-2025-58434Sep 12, 2025risk 0.00cvss —epss 0.50
Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5 and earlier, the `forgot-password` endpoint in Flowise returns sensitive information including a valid password reset `tempToken` without authentication or verification.…
- CVE-2024-8182Aug 27, 2024risk 0.00cvss —epss 0.14
An Unauthenticated Denial of Service (DoS) vulnerability exists in Flowise version 1.8.2 leading to a complete crash of the instance running a vulnerable version due to improper handling of user supplied input to the “/api/v1/get-upload-file” api endpoint.
- CVE-2024-37146Jul 1, 2024risk 0.00cvss —epss 0.00
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the `/api/v1/credentials/id` endpoint. If the default configuration is used (unauthenticated), an…
- CVE-2024-37145Jul 1, 2024risk 0.00cvss —epss 0.00
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the `/api/v1/chatflows-streaming/id` endpoint. If the default configuration is used (unauthenticated),…
- CVE-2024-36423Jul 1, 2024risk 0.00cvss —epss 0.00
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the `/api/v1/public-chatflows/id` endpoint. If the default configuration is used (unauthenticated), an…
- CVE-2024-36422Jul 1, 2024risk 0.00cvss —epss 0.00
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the `api/v1/chatflows/id` endpoint. If the default configuration is used (unauthenticated), an attacker…
- CVE-2024-36421Jul 1, 2024risk 0.00cvss —epss 0.09
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, A CORS misconfiguration sets the Access-Control-Allow-Origin header to all, allowing arbitrary origins to connect to the website. In the default configuration…
Page 2 of 2