HIGH 7.6
GHSA-gjx9-wg9x-7gvp
Flowise Vulnerable to SQL Injection via `tableName` Parameter
Details
Flowise <= 2.2.3 is vulnerable to SQL Injection. via tableName parameter at Postgres_VectorStores.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://nvd.nist.gov/vuln/detail/CVE-2025-29189 [ADVISORY]
- https://github.com/FlowiseAI/Flowise/pull/3818 [WEB]
- https://github.com/FlowiseAI/Flowise/commit/9a417bdc95f58d6dd92cbf60dad42414aba34754 [WEB]
- https://drive.google.com/file/d/1WHPslTmQmAM9xPJifULS2qAo7hcidB4L/view?usp=sharing [WEB]
- https://github.com/FlowiseAI/Flowise [PACKAGE]