flowise

npm36 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting flowisepage 1 of 1

CVE-2024-31621HIGHCVSS 7.6EG 7.6✓ Fixed in 1.8.1
2024-04-29
An issue in FlowiseAI Inc Flowise v.1.6.2 and before allows a remote attacker to execute arbitrary code via a crafted script to the api/v1 component.
CVE-2024-36420HIGHCVSS 7.5EG 7.5
2024-07-01
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, the `/api/v1/openai-assistants-file` endpoint in `index.ts` is vulnerable to arbitrary file read due to lack of sanitizat…
CVE-2024-36421HIGHCVSS 7.5EG 7.5
2024-07-01
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, A CORS misconfiguration sets the Access-Control-Allow-Origin header to all, allowing arbitrary origins to connect to the …
CVE-2024-36422MEDIUMCVSS 6.1EG 6.1
2024-07-01
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the `api/v1/chatflows/id` endpoint. If the default configuration…
CVE-2024-36423MEDIUMCVSS 6.1EG 6.1
2024-07-01
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the `/api/v1/public-chatflows/id` endpoint. If the default confi…
CVE-2024-37145MEDIUMCVSS 6.1EG 6.1
2024-07-01
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the `/api/v1/chatflows-streaming/id` endpoint. If the default co…
CVE-2024-37146MEDIUMCVSS 6.1EG 6.1
2024-07-01
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the `/api/v1/credentials/id` endpoint. If the default configurat…
CVE-2024-8181CRITICALCVSS 9.8EG 7.3
2024-08-27
An Authentication Bypass vulnerability exists in Flowise version 1.8.2. This could allow a remote, unauthenticated attacker to access API endpoints as an administrator and allow them to access restricted functionality.
CVE-2024-8182HIGHCVSS 7.5EG 7.5
2024-08-27
An Unauthenticated Denial of Service (DoS) vulnerability exists in Flowise version 1.8.2 leading to a complete crash of the instance running a vulnerable version due to improper handling of user supplied input to the “/api/v1/get-upload-…
CVE-2024-9148CRITICALCVSS 9.6EG 9.6✓ Fixed in 2.1.1
2024-09-25
Flowise < 2.1.1 suffers from a Stored Cross-Site vulnerability due to a lack of input sanitization in Flowise Chat Embed < 2.0.0.
CVE-2025-34267CRITICALCVSS 9.9EG 9.9✓ Fixed in 3.0.8
2025-10-14
Flowise v3.0.1 < 3.0.8 and all versions after with 'ALLOW_BUILTIN_DEP' enabled contain an authenticated remote code execution vulnerability and node VM sandbox escape due to insecure use of integrated modules (Puppeteer and Playwright) wit…
CVE-2025-55346CRITICALCVSS 9.8EG 9.8
2025-08-14
User-controlled input flows to an unsafe implementation of a dynamic Function constructor, allowing network attackers to run arbitrary unsandboxed JS code in the context of the host, by sending a simple POST request.
CVE-2025-57164MEDIUMCVSS 6.5EG 6.5✓ Fixed in 3.0.6
2025-10-17
vulnerable: 3.0.5
Flowise through v3.0.4 is vulnerable to remote code execution via unsanitized evaluation of user input in the "Supabase RPC Filter" field.
CVE-2025-58434CRITICALCVSS 9.8EG 9.8✓ Fixed in 3.0.6
2025-09-12
Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5 and earlier, the `forgot-password` endpoint in Flowise returns sensitive information including a valid password reset `tempToken` wit…
CVE-2025-59527HIGHCVSS 7.5EG 7.5✓ Fixed in 3.0.6
2025-09-22
vulnerable: 3.0.5
Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, a Server-Side Request Forgery (SSRF) vulnerability was discovered in the /api/v1/fetch-links endpoint of the Flowise application. Th…
CVE-2026-40933CRITICALCVSS 9.9EG 9.9✓ Fixed in 3.1.0
2026-04-21
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, due to unsafe serialization of stdio commands in the MCP adapter, an authenticated attacker can add an MCP stdio server with an arbitr…
CVE-2026-41137HIGHCVSS 8.8EG 8.8✓ Fixed in 3.1.0
2026-04-23
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide a command injection …
CVE-2026-41138HIGHCVSS 8.8EG 8.8✓ Fixed in 3.1.0
2026-04-23
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, there is a remote code execution vulnerability in AirtableAgent.ts caused by lack of input verification when using Pandas. The user’…
CVE-2026-41264CRITICALCVSS 9.8EG 9.8✓ Fixed in 3.1.0
2026-04-23
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the CSV_Agents class. The issue results from the lack of proper sandboxing when eval…
CVE-2026-41265CRITICALCVSS 9.8EG 9.8✓ Fixed in 3.1.0
2026-04-23
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the Airtable_Agents class. The issue results from the lack of proper sandboxing when…
CVE-2026-41266HIGHCVSS 7.5EG 7.5✓ Fixed in 3.1.0
2026-04-23
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, /api/v1/public-chatbotConfig/:id ep exposes sensitive data including API keys, HTTP authorization headers and internal configuration w…
CVE-2026-41267HIGHCVSS 8.1EG 8.1✓ Fixed in 3.1.0
2026-04-23
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, an improper mass assignment (JSON injection) vulnerability in the account registration endpoint of Flowise Cloud allows unauthenticate…
CVE-2026-41268CRITICALCVSS 9.8EG 9.8✓ Fixed in 3.1.0
2026-04-23
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise is vulnerable to a critical unauthenticated remote command execution (RCE) vulnerability. It can be exploited via a parameter …
CVE-2026-41269HIGHCVSS 7.1EG 7.1✓ Fixed in 3.1.0
2026-04-23
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the Chatflow configuration file upload settings can be modified to allow the application/javascript MIME type. This lets an attacker u…
CVE-2026-41270HIGHCVSS 7.1EG 7.1✓ Fixed in 3.1.0
2026-04-23
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) protection bypass vulnerability exists in the Custom Function feature. While the application impl…
CVE-2026-41271HIGHCVSS 8.3EG 8.3✓ Fixed in 3.1.0
2026-04-23
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) vulnerability exists in FlowiseAI's POST/GET API Chain components that allows unauthenticated att…
CVE-2026-41272HIGHCVSS 7.1EG 7.1✓ Fixed in 3.1.0
2026-04-23
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the core security wrappers (secureAxiosRequest and secureFetch) intended to prevent Server-Side Request Forgery (SSRF) contain multipl…
CVE-2026-41273HIGHCVSS 8.2EG 8.2✓ Fixed in 3.1.0
2026-04-23
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise contains an authentication bypass vulnerability that allows an unauthenticated attacker to obtain OAuth 2.0 access tokens asso…
CVE-2026-41274CRITICALCVSS 9.8EG 9.8✓ Fixed in 3.1.0
2026-04-23
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GraphCypherQAChain node forwards user-provided input directly into the Cypher query execution pipeline without proper sanitization…
CVE-2026-41275HIGHCVSS 7.5EG 7.5✓ Fixed in 3.1.0
2026-04-23
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the password reset functionality on cloud.flowiseai.com sends a reset password link over the unsecured HTTP protocol instead of HTTPS.…
CVE-2026-41276CRITICALCVSS 9.8EG 9.8✓ Fixed in 3.1.0
2026-04-23
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, this vulnerability allows remote attackers to bypass authentication on affected installations of FlowiseAI Flowise. Authentication is …
CVE-2026-41277HIGHCVSS 8.8EG 8.8✓ Fixed in 3.1.0
2026-04-23
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Mass Assignment vulnerability in the DocumentStore creation endpoint allows authenticated users to control the primary key (id) and …
CVE-2026-41278HIGHCVSS 7.5EG 7.5✓ Fixed in 3.1.0
2026-04-23
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GET /api/v1/public-chatflows/:id endpoint returns the full chatflow object without sanitization for public chatflows. Docker valid…
CVE-2026-41279HIGHCVSS 7.5EG 7.5✓ Fixed in 3.1.0
2026-04-23
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the text-to-speech generation endpoint (POST /api/v1/text-to-speech/generate) is whitelisted (no auth) and accepts a credentialId dire…
CVE-2026-43995CRITICALCVSS 9.8EG 9.8✓ Fixed in 3.1.0
2026-05-11
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, multiple tool implementations directly import and invoke raw HTTP clients (node-fetch, axios) instead of using the secured wrapper. Th…
CVE-2026-8026LOWCVSS 3.7EG 3.7
2026-05-06
A security flaw has been discovered in FlowiseAI Flowise up to 3.0.12. Affected is the function Login of the file packages/server/src/enterprise/services/account.service.ts of the component API Response Handler. The manipulation results in…

Check whether flowise is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for flowise CVEs against the assets you own.

Start Free Scan →