90 Total advisories
90 Vulnerabilities
0 Malware
Vulnerabilities
HIGH 8.8
CVE-2026-46475
FlowiseAI: Assistant create+update mass-assignment allows cross-workspace assistant takeover
HIGH 8.8
CVE-2026-46444
FlowiseAI: Vector Store No Permission Checks
HIGH 8.8
CVE-2026-46480
FlowiseAI: Evaluator create+update mass-assignment allows cross-workspace evaluator takeover
UNKNOWN
CVE-2026-42862
FlowiseAI has Mass Assignment in Tool Update Endpoint that Allows Cross-Workspace Resource Reassignment
UNKNOWN
CVE-2026-46479
FlowiseAI: Evaluation create+update mass-assignment allows cross-workspace evaluation takeover
UNKNOWN
CVE-2026-46442
FlowiseAI: Authenticated Host RCE via POST /api/v1/node-custom-function and NodeVM Sandbox Escape
UNKNOWN
CVE-2026-46441
FlowiseAI has Mass Assignment in Assistant Update Endpoint that Allows Cross-Workspace Resource Reassignment
HIGH 7.5
CVE-2026-46440
FlowiseAI Exposes Basic Auth Credentials via API
UNKNOWN
CVE-2026-46476
FlowiseAI: CustomTemplate create+update mass-assignment allows cross-workspace template takeover
UNKNOWN
CVE-2026-46478
FlowiseAI: DatasetRow create+update mass-assignment allows cross-workspace row takeover
UNKNOWN
CVE-2026-42863
FlowiseAI has Mass Assignment in Chatflow Update Endpoint that Allows Cross-Workspace AgentFlow Reassignment
UNKNOWN
CVE-2026-46443
FlowiseAI Vulnerable to Credential Data Leak
UNKNOWN
CVE-2026-46477
FlowiseAI: Dataset create+update mass-assignment allows cross-workspace dataset takeover
UNKNOWN
CVE-2026-42861
FlowiseAI has Mass Assignment in Variable Update Endpoint that Allows Cross-Workspace Resource Reassignment
UNKNOWN
GHSA-c2c9-mfw7-p8hw
Flowise: Cross-Workspace Chatflow Disclosure via chatflows/apikey Endpoint Returns All Unprotected Chatflows
UNKNOWN
GHSA-59fh-9f3p-7m39
Flowise: Mass Assignment in PUT /api/v1/user Allows Authenticated Users to Override Password Hash and Bypass Password Change Verification
UNKNOWN
GHSA-m837-xvxr-vqwg
Flowise: Hardcoded CORS wildcard on TTS endpoint enables cross-origin credential abuse from any webpage
UNKNOWN
GHSA-m99r-2hxc-cp3q
Flowise has an MCP Security Bypass that Enables RCE
UNKNOWN
CVE-2026-43995
Flowise: SSRF Protection Bypass via Direct node-fetch / axios Usage (Patch Enforcement Failure)
LOW 3.7
CVE-2026-8026
Flowise: Bcrypt Password Hash Exposure
HIGH 7.1
CVE-2026-41270
Flowise: SSRF Protection Bypass via Unprotected Built-in HTTP Modules in Custom Function Sandbox
HIGH 7.5
CVE-2026-41275
Flowise: Password Reset Link Sent Over Unsecured HTTP
HIGH 7.5
CVE-2026-41278
Flowise: Public chatflow endpoints return unsanitized flowData including plaintext API keys, passwords, and credential IDs
CRITICAL 9.8
CVE-2026-41265
Flowise: Airtable_Agent Code Injection Remote Code Execution Vulnerability
HIGH 7.1
CVE-2026-41269
Flowise: File Upload Validation Bypass in createAttachment
CRITICAL 9.8
CVE-2026-41276
Flowise: resetPassword Authentication Bypass Vulnerability
HIGH 8.3
CVE-2026-41138
Flowise: Remote code execution vulnerability in AirtableAgent.ts caused by lack of input verification when using `Pandas`.
HIGH 7.7
CVE-2026-41268
Flowise: Parameter Override Bypass Remote Command Execution
HIGH 8.8
CVE-2026-41137
Flowise: Code Injection in CSVAgent leads to Authenticated RCE
HIGH 8.2
CVE-2026-41273
Flowise: Unauthenticated OAuth 2.0 Access Token Disclosure via Public Chatflow in Flowise
HIGH 7.1
CVE-2026-41271
Flowise: APIChain Prompt Injection SSRF in GET/POST API Chains
HIGH 7.5
CVE-2026-41279
Flowise: Unauthenticated TTS endpoint accepts arbitrary credential IDs — enables API credit abuse via stored credentials
HIGH 7.5
CVE-2026-41266
Flowise: Sensitive Data Leak in public-chatbotConfig
HIGH 8.1
CVE-2026-41267
Flowise: Improper Mass Assignment in Account Registration Enables Unauthorized Organization Association
HIGH 8.8
CVE-2026-41277
Flowise: Mass Assignment in DocumentStore Create Endpoint Leads to Cross-Workspace Object Takeover (IDOR)
CRITICAL 9.8
CVE-2026-41264
Flowise: CSV Agent Prompt Injection Remote Code Execution Vulnerability
HIGH 7.1
CVE-2026-41272
Flowise: SSRF Protection Bypass (TOCTOU & Default Insecure)
UNKNOWN
CVE-2026-41274
Flowise: Cypher Injection in GraphCypherQAChain
MEDIUM 5.6
GHSA-m7mq-85xj-9x33
Flowise: Weak Default Token Hash Secret
UNKNOWN
GHSA-9hrv-gvrv-6gf2
Flowise Execute Flow function has an SSRF vulnerability
UNKNOWN
GHSA-w6v6-49gh-mc9w
Flowise: Path Traversal in Vector Store basePath
MEDIUM 5.3
GHSA-6pcv-j4jx-m4vx
Flowise: Unauthenticated Information Disclosure of OAuth Secrets (Cleartext) via GET Request
MEDIUM 5.6
GHSA-2qqc-p94c-hxwh
Flowise: Weak Default Express Session Secret
CRITICAL 9.9
CVE-2026-40933
Flowise: Authenticated RCE Via MCP Adapters
MEDIUM 5.6
GHSA-cc4f-hjpj-g9p8
Flowise: Weak Default JWT Secrets
HIGH 7.1
CVE-2026-31829
Flowise affected by Server-Side Request Forgery (SSRF) in HTTP Node Leading to Internal Network Access
MEDIUM 5.3
CVE-2025-29192
Flowise Stored XSS vulnerability through logs in chatbot
UNKNOWN
CVE-2026-30824
Flowise Missing Authentication on NVIDIA NIM Endpoints
HIGH 7.7
CVE-2026-30822
Flowise Allows Mass Assignment in `/api/v1/leads` Endpoint
HIGH 8.8
CVE-2026-30823
Flowise has IDOR leading to Account Takeover and Enterprise Feature Bypass via SSO Configuration
UNKNOWN
CVE-2026-30820
Flowise has Authorization Bypass via Spoofed x-request-from Header
UNKNOWN
CVE-2026-30821
Flowise has Arbitrary File Upload via MIME Spoofing
UNKNOWN
GHSA-jc5m-wrp2-qq38
Flowise Vulnerable to PII Disclosure on Unauthenticated Forgot Password Endpoint
MEDIUM 4.1
GHSA-x2g5-fvc2-gqvp
Flowise has Insufficient Password Salt Rounds
CRITICAL 9.9
CVE-2025-61913
Flowise is vulnerable to arbitrary file write through its WriteFileTool
HIGH 7.7
GHSA-j44m-5v8f-gc9c
Flowise is vulnerable to arbitrary file exposure through its ReadFileTool
CRITICAL 9.3
CVE-2025-50538
Flowise is vulnerable to stored XSS via "View Messages" allows credential theft in FlowiseAI admin panel
HIGH 8.3
CVE-2025-61687
FlowiseAI/Flosise has File Upload vulnerability
UNKNOWN
GHSA-v5w9-prxf-w882
Flowise has Authentication Bypass Using Unprotected Registration Endpoint (/register)
HIGH 8.1
GHSA-x7rp-qj2h-ghgw
Flowise Fails to Invalidate Existing Sessions After Password Changes
UNKNOWN
CVE-2025-34267
Flowise: Authenticated Command Execution and Sandbox Bypass via Puppeteer and Playwright Packages
CRITICAL 9.1
CVE-2025-57164
FlowiseAI Pre-Auth Arbitrary Code Execution
CRITICAL 9.1
GHSA-3g4j-r53p-22wx
Duplicate Advisory: FlowiseAI Pre-Auth Arbitrary Code Execution
CRITICAL 10.0
CVE-2025-59528
Flowise has Remote Code Execution vulnerability
UNKNOWN
GHSA-4fr9-3x69-36wv
Flowise vulnerable to XSS
HIGH 8.2
GHSA-7rgr-72hp-9wp3
Duplicate Advisory: Flowise is vulnerable to stored XSS via "View Messages" allows credential theft in FlowiseAI admin panel
HIGH 8.2
GHSA-wq95-wr7m-26h4
Duplicate Advisory: Flowise Stored XSS vulnerability through logs in chatbot
CRITICAL 9.8
CVE-2025-55346
Flowise vulnerable to RCE via Dynamic function constructor injection
CRITICAL 9.8
GHSA-q4xx-mc3q-23x8
Duplicate Advisory: Flowise vulnerable to RCE via Dynamic function constructor injection
HIGH 7.5
CVE-2025-59527
FlowiseAI/Flowise has Server-Side Request Forgery (SSRF) vulnerability
UNKNOWN
GHSA-6933-jpx5-q87q
Flowise has unsandboxed remote code execution via Custom MCP
CRITICAL 9.8
GHSA-q67q-549q-p849
Flowise has arbitrary file access due to missing chat flow id validation
CRITICAL 9.1
GHSA-99pg-hqvx-r4gf
Flowise has an Arbitrary File Read
CRITICAL 9.8
CVE-2025-58434
Flowise Cloud and Local Deployments have Unauthenticated Password Reset Token Disclosure that Leads to Account Takeover
CRITICAL 9.8
CVE-2025-8943
Flowise OS command remote code execution
MEDIUM 5.9
GHSA-9c4c-g95m-c8cp
FlowiseDB vulnerable to SQL Injection by authenticated users
CRITICAL 10.0
GHSA-8vvx-qvq9-5948
Flowise allows arbitrary file write to RCE
UNKNOWN
GHSA-h42x-xx2q-6v6g
Flowise Pre-auth Arbitrary File Upload
UNKNOWN
CVE-2025-26319
FlowiseAI Flowise arbitrary file upload vulnerability
UNKNOWN
GHSA-5cph-wvm9-45gj
Flowise OverrideConfig security vulnerability
CRITICAL 9.6
CVE-2024-9148
Flowise and Flowise Chat Embed vulnerable to Stored Cross-site Scripting
HIGH 7.3
CVE-2024-8181
Flowise Authentication Bypass vulnerability
HIGH 7.5
CVE-2024-8182
Flowise Unauthenticated Denial of Service (DoS) vulnerability
HIGH 7.5
CVE-2024-36421
Flowise Cors Misconfiguration in packages/server/src/index.ts
MEDIUM 6.1
CVE-2024-37146
Flowise Cross-site Scripting in/api/v1/credentials/id
MEDIUM 6.1
CVE-2024-37145
Flowise Cross-site Scripting in /api/v1/chatflows-streaming/id
MEDIUM 6.1
CVE-2024-36423
Flowise Cross-site Scripting in /api/v1/public-chatflows/id
MEDIUM 6.1
CVE-2024-36422
Flowise Cross-site Scripting in api/v1/chatflows/id
HIGH 7.5
CVE-2024-36420
Flowise Path Injection at /api/v1/openai-assistants-file
HIGH 7.6
CVE-2024-31621
Flowise vulnerable to code injection via api/v1
Ready to move
Start Securing
Free, no credit card | First findings in minutes