HIGH npm
GHSA-28g4-38q8-3cwc · CVE-2026-41274 Flowise: Cypher Injection in GraphCypherQAChain
Modified: 5/5/2026
package
npm / flowise
pkg:npm/flowise
MEDIUM 6.1 npm
GHSA-2jch-qc96-9f5g · CVE-2024-36422 Flowise Cross-site Scripting in api/v1/chatflows/id
Modified: 8/5/2024
HIGH 7.3 npm
GHSA-2q4w-x8h2-2fvh · CVE-2024-8181 Flowise Authentication Bypass vulnerability
Modified: 9/4/2024
MEDIUM 5.6 npm
GHSA-2qqc-p94c-hxwh Flowise: Weak Default Express Session Secret
Modified: 4/16/2026
CRITICAL 9.8 npm
GHSA-2vv2-3x8x-4gv7 · CVE-2025-8943 Flowise OS command remote code execution
Modified: 8/18/2025
HIGH 7.1 npm
GHSA-2x8m-83vc-6wv4 · CVE-2026-41272 Flowise: SSRF Protection Bypass (TOCTOU & Default Insecure)
Modified: 5/5/2026
HIGH 8.3 npm
GHSA-35g6-rrw3-v6xc · CVE-2025-61687 FlowiseAI/Flosise has File Upload vulnerability
Modified: 12/16/2025
CRITICAL 10.0 npm
GHSA-3gcm-f6qx-ff7p · CVE-2025-59528 Flowise has Remote Code Execution vulnerability
Modified: 10/13/2025
CRITICAL 9.8 npm
GHSA-3hjv-c53m-58jj · CVE-2026-41264 Flowise: CSV Agent Prompt Injection Remote Code Execution Vulnerability
Modified: 5/5/2026
HIGH 8.8 npm
GHSA-3prp-9gf7-4rxx · CVE-2026-41277 Flowise: Mass Assignment in DocumentStore Create Endpoint Leads to Cross-Workspace Object Takeover (IDOR)
Modified: 5/5/2026
HIGH 8.1 npm
GHSA-48m6-ch88-55mj · CVE-2026-41267 Flowise: Improper Mass Assignment in Account Registration Enables Unauthorized Organization Association
Modified: 5/5/2026
HIGH 7.5 npm
GHSA-48x4-mx8f-gr4h · CVE-2024-8182 Flowise Unauthenticated Denial of Service (DoS) vulnerability
Modified: 8/27/2024
MEDIUM npm
GHSA-4fr9-3x69-36wv Flowise vulnerable to XSS
Modified: 10/13/2025
HIGH 7.5 npm
GHSA-4jpm-cgx2-8h37 · CVE-2026-41266 Flowise: Sensitive Data Leak in public-chatbotConfig
Modified: 5/5/2026
MEDIUM npm
GHSA-59fh-9f3p-7m39 Flowise: Mass Assignment in PUT /api/v1/user Allows Authenticated Users to Override Password Hash and Bypass Password Change Verification
Modified: 5/20/2026
HIGH npm
GHSA-5cph-wvm9-45gj Flowise OverrideConfig security vulnerability
Modified: 11/21/2024
HIGH npm
GHSA-5f53-522j-j454 · CVE-2026-30824 Flowise Missing Authentication on NVIDIA NIM Endpoints
Modified: 3/9/2026
HIGH 7.5 npm
GHSA-5fw2-mwhh-9947 · CVE-2026-41279 Flowise: Unauthenticated TTS endpoint accepts arbitrary credential IDs — enables API credit abuse via stored credentials
Modified: 5/5/2026
HIGH npm
GHSA-5h9v-837x-m97r · CVE-2026-46477 FlowiseAI: Dataset create+update mass-assignment allows cross-workspace dataset takeover
Modified: 6/9/2026
HIGH npm
GHSA-5wxp-qjgq-fx6m · CVE-2026-42863 FlowiseAI has Mass Assignment in Chatflow Update Endpoint that Allows Cross-Workspace AgentFlow Reassignment
Modified: 6/9/2026
HIGH 7.5 npm
GHSA-66f2-xxgm-f6xp · CVE-2024-36421 Flowise Cors Misconfiguration in packages/server/src/index.ts
Modified: 8/5/2024
HIGH npm
GHSA-6933-jpx5-q87q Flowise has unsandboxed remote code execution via Custom MCP
Modified: 9/15/2025
HIGH npm
GHSA-69jq-qr7w-j7qh · CVE-2025-26319 FlowiseAI Flowise arbitrary file upload vulnerability
Modified: 3/5/2025
HIGH 8.2 npm
GHSA-6f7g-v4pp-r667 · CVE-2026-41273 Flowise: Unauthenticated OAuth 2.0 Access Token Disclosure via Public Chatflow in Flowise
Modified: 5/5/2026
HIGH npm
GHSA-6fw7-3q8r-m5vj · CVE-2026-42861 FlowiseAI has Mass Assignment in Variable Update Endpoint that Allows Cross-Workspace Resource Reassignment
Modified: 6/9/2026
MEDIUM 5.3 npm
GHSA-6pcv-j4jx-m4vx Flowise: Unauthenticated Information Disclosure of OAuth Secrets (Cleartext) via GET Request
Modified: 4/16/2026
HIGH 7.1 npm
GHSA-6r77-hqx7-7vw8 · CVE-2026-41271 Flowise: APIChain Prompt Injection SSRF in GET/POST API Chains
Modified: 5/5/2026
HIGH 7.6 npm
GHSA-6wp6-22x5-rr3w · CVE-2024-31621 Flowise vulnerable to code injection via api/v1
Modified: 8/2/2024
HIGH npm
GHSA-728h-4mwj-f2p4 · CVE-2026-46476 FlowiseAI: CustomTemplate create+update mass-assignment allows cross-workspace template takeover
Modified: 6/9/2026
HIGH npm
GHSA-78pr-c5x5-jggc · CVE-2026-46475 FlowiseAI: Assistant create+update mass-assignment allows cross-workspace assistant takeover
Modified: 6/9/2026
CRITICAL 9.1 npm
GHSA-7944-7c6r-55vv · CVE-2025-57164 FlowiseAI Pre-Auth Arbitrary Code Execution
Modified: 10/17/2025
HIGH npm
GHSA-7g73-99r4-m4mj · CVE-2026-46443 FlowiseAI Vulnerable to Credential Data Leak
Modified: 6/9/2026
HIGH npm
GHSA-7j65-65cr-6644 · CVE-2026-46478 FlowiseAI: DatasetRow create+update mass-assignment allows cross-workspace row takeover
Modified: 6/9/2026
MEDIUM 5.3 npm
GHSA-7r4h-vmj9-wg42 · CVE-2025-29192 Flowise Stored XSS vulnerability through logs in chatbot
Modified: 3/14/2026
MEDIUM 6.1 npm
GHSA-858c-qxvx-rg9v · CVE-2024-37145 Flowise Cross-site Scripting in /api/v1/chatflows-streaming/id
Modified: 8/5/2024
LOW 3.7 npm
GHSA-8f47-4rh3-x44m · CVE-2026-8026 Flowise: Bcrypt Password Hash Exposure
Modified: 5/12/2026
CRITICAL 10.0 npm
GHSA-8vvx-qvq9-5948 Flowise allows arbitrary file write to RCE
Modified: 3/14/2025
CRITICAL 9.3 npm
GHSA-964p-j4gg-mhwc · CVE-2025-50538 Flowise is vulnerable to stored XSS via "View Messages" allows credential theft in FlowiseAI admin panel
Modified: 2/4/2026
CRITICAL 9.1 npm
GHSA-99pg-hqvx-r4gf Flowise has an Arbitrary File Read
Modified: 9/15/2025
MEDIUM 5.9 npm
GHSA-9c4c-g95m-c8cp FlowiseDB vulnerable to SQL Injection by authenticated users
Modified: 4/7/2025
MEDIUM npm
GHSA-9hrv-gvrv-6gf2 Flowise Execute Flow function has an SSRF vulnerability
Modified: 4/16/2026
CRITICAL npm
GHSA-9rvc-vf7m-pgm2 · CVE-2026-46442 FlowiseAI: Authenticated Host RCE via POST /api/v1/node-custom-function and NodeVM Sandbox Escape
Modified: 6/9/2026
HIGH 8.8 npm
GHSA-9wc7-mj3f-74xv · CVE-2026-41137 Flowise: Code Injection in CSVAgent leads to Authenticated RCE
Modified: 5/5/2026
MEDIUM npm
GHSA-c2c9-mfw7-p8hw Flowise: Cross-Workspace Chatflow Disclosure via chatflows/apikey Endpoint Returns All Unprotected Chatflows
Modified: 5/20/2026
CRITICAL 9.9 npm
GHSA-c9gw-hvqq-f33r · CVE-2026-40933 Flowise: Authenticated RCE Via MCP Adapters
Modified: 4/16/2026
MEDIUM 5.6 npm
GHSA-cc4f-hjpj-g9p8 Flowise: Weak Default JWT Secrets
Modified: 4/16/2026
HIGH 7.7 npm
GHSA-cvrr-qhgw-2mm6 · CVE-2026-41268 Flowise: Parameter Override Bypass Remote Command Execution
Modified: 5/5/2026
HIGH 8.8 npm
GHSA-cwc3-p92j-g7qm · CVE-2026-30823 Flowise has IDOR leading to Account Takeover and Enterprise Feature Bypass via SSO Configuration
Modified: 3/9/2026
HIGH 8.3 npm
GHSA-f228-chmx-v6j6 · CVE-2026-41138 Flowise: Remote code execution vulnerability in AirtableAgent.ts caused by lack of input verification when using `Pandas`.
Modified: 5/5/2026
CRITICAL 9.8 npm
GHSA-f6hc-c5jr-878p · CVE-2026-41276 Flowise: resetPassword Authentication Bypass Vulnerability
Modified: 5/5/2026
MEDIUM 6.1 npm
GHSA-fccx-2pwj-hrq7 · CVE-2024-36423 Flowise Cross-site Scripting in /api/v1/public-chatflows/id
Modified: 8/5/2024
HIGH 7.1 npm
GHSA-fvcw-9w9r-pxc7 · CVE-2026-31829 Flowise affected by Server-Side Request Forgery (SSRF) in HTTP Node Leading to Internal Network Access
Modified: 4/10/2026
CRITICAL npm
GHSA-h42x-xx2q-6v6g Flowise Pre-auth Arbitrary File Upload
Modified: 3/13/2025
HIGH 7.5 npm
GHSA-h997-3fxj-p5j8 · CVE-2024-36420 Flowise Path Injection at /api/v1/openai-assistants-file
Modified: 8/5/2024
HIGH 8.8 npm
GHSA-hmg2-jjjx-jcp2 · CVE-2026-46444 FlowiseAI: Vector Store No Permission Checks
Modified: 6/11/2026
CRITICAL 9.8 npm
GHSA-hmgh-466j-fx4c · CVE-2025-55346 Flowise vulnerable to RCE via Dynamic function constructor injection
Modified: 10/6/2025
HIGH npm
GHSA-hp26-q66v-q2w7 · CVE-2026-46441 FlowiseAI has Mass Assignment in Assistant Update Endpoint that Allows Cross-Workspace Resource Reassignment
Modified: 6/9/2026
HIGH 7.5 npm
GHSA-hr92-4q35-4j3m · CVE-2025-59527 FlowiseAI/Flowise has Server-Side Request Forgery (SSRF) vulnerability
Modified: 9/22/2025
HIGH 7.7 npm
GHSA-j44m-5v8f-gc9c Flowise is vulnerable to arbitrary file exposure through its ReadFileTool
Modified: 2/4/2026
HIGH npm
GHSA-j8g8-j7fc-43v6 · CVE-2026-30821 Flowise has Arbitrary File Upload via MIME Spoofing
Modified: 3/9/2026
MEDIUM npm
GHSA-jc5m-wrp2-qq38 Flowise Vulnerable to PII Disclosure on Unauthenticated Forgot Password Endpoint
Modified: 3/5/2026
CRITICAL 9.9 npm
GHSA-jv9m-vf54-chjj · CVE-2025-61913 Flowise is vulnerable to arbitrary file write through its WriteFileTool
Modified: 2/4/2026
CRITICAL 9.6 npm
GHSA-m5p9-xvxj-64c8 · CVE-2024-9148 Flowise and Flowise Chat Embed vulnerable to Stored Cross-site Scripting
Modified: 9/30/2024
MEDIUM 5.6 npm
GHSA-m7mq-85xj-9x33 Flowise: Weak Default Token Hash Secret
Modified: 4/16/2026
MEDIUM npm
GHSA-m837-xvxr-vqwg Flowise: Hardcoded CORS wildcard on TTS endpoint enables cross-origin credential abuse from any webpage
Modified: 5/20/2026
HIGH npm
GHSA-m99r-2hxc-cp3q Flowise has an MCP Security Bypass that Enables RCE
Modified: 5/16/2026
HIGH 7.7 npm
GHSA-mq4r-h2gh-qv7x · CVE-2026-30822 Flowise Allows Mass Assignment in `/api/v1/leads` Endpoint
Modified: 3/9/2026
HIGH npm
GHSA-mq53-pc65-wjc4 · CVE-2026-46479 FlowiseAI: Evaluation create+update mass-assignment allows cross-workspace evaluation takeover
Modified: 6/9/2026
HIGH 7.5 npm
GHSA-php6-83fg-gw3g · CVE-2026-46440 FlowiseAI Exposes Basic Auth Credentials via API
Modified: 6/9/2026
CRITICAL 9.8 npm
GHSA-q67q-549q-p849 Flowise has arbitrary file access due to missing chat flow id validation
Modified: 9/15/2025
MEDIUM npm
GHSA-qqvm-66q4-vf5c · CVE-2026-43995 Flowise: SSRF Protection Bypass via Direct node-fetch / axios Usage (Patch Enforcement Failure)
Modified: 5/13/2026
HIGH npm
GHSA-r4hh-pcgx-j5r2 · CVE-2025-34267, GHSA-5w3r-f6gm-c25w Flowise: Authenticated Command Execution and Sandbox Bypass via Puppeteer and Playwright Packages
Modified: 10/29/2025
HIGH 7.1 npm
GHSA-rh7v-6w34-w2rr · CVE-2026-41269 Flowise: File Upload Validation Bypass in createAttachment
Modified: 5/5/2026
CRITICAL 9.8 npm
GHSA-v38x-c887-992f · CVE-2026-41265 Flowise: Airtable_Agent Code Injection Remote Code Execution Vulnerability
Modified: 5/5/2026
HIGH npm
GHSA-v5w9-prxf-w882 Flowise has Authentication Bypass Using Unprotected Registration Endpoint (/register)
Modified: 11/17/2025
HIGH 7.5 npm
GHSA-w47f-j8rh-wx87 · CVE-2026-41278 Flowise: Public chatflow endpoints return unsanitized flowData including plaintext API keys, passwords, and credential IDs
Modified: 5/5/2026
MEDIUM npm
GHSA-w6v6-49gh-mc9w Flowise: Path Traversal in Vector Store basePath
Modified: 4/16/2026
CRITICAL 9.8 npm
GHSA-wgpv-6j63-x5ph · CVE-2025-58434 Flowise Cloud and Local Deployments have Unauthenticated Password Reset Token Disclosure that Leads to Account Takeover
Modified: 9/15/2025
HIGH npm
GHSA-wvhq-wp8g-c7vq · CVE-2026-30820 Flowise has Authorization Bypass via Spoofed x-request-from Header
Modified: 3/9/2026
MEDIUM 6.1 npm
GHSA-wxm4-9f8p-gggv · CVE-2024-37146 Flowise Cross-site Scripting in/api/v1/credentials/id
Modified: 8/5/2024
HIGH 8.8 npm
GHSA-wxrr-jp8m-qq7f · CVE-2026-46480 FlowiseAI: Evaluator create+update mass-assignment allows cross-workspace evaluator takeover
Modified: 6/9/2026
MEDIUM 4.1 npm
GHSA-x2g5-fvc2-gqvp Flowise has Insufficient Password Salt Rounds
Modified: 3/5/2026
HIGH npm
GHSA-x5v6-pj28-cwwm · CVE-2026-42862 FlowiseAI has Mass Assignment in Tool Update Endpoint that Allows Cross-Workspace Resource Reassignment
Modified: 6/9/2026
HIGH 7.5 npm
GHSA-x5w6-38gp-mrqh · CVE-2026-41275 Flowise: Password Reset Link Sent Over Unsecured HTTP
Modified: 5/5/2026
HIGH 8.1 npm
GHSA-x7rp-qj2h-ghgw Flowise Fails to Invalidate Existing Sessions After Password Changes
Modified: 11/14/2025
HIGH 7.1 npm
GHSA-xhmj-rg95-44hv · CVE-2026-41270 Flowise: SSRF Protection Bypass via Unprotected Built-in HTTP Modules in Custom Function Sandbox
Modified: 5/5/2026