flowise

Flowise: Cypher Injection in GraphCypherQAChain

Flowise: Sensitive Data Leak in public-chatbotConfig

Flowise: Unauthenticated TTS endpoint accepts arbitrary credential IDs — enables API credit abuse via stored credentials

Flowise Cross-site Scripting in api/v1/chatflows/id

Flowise: Weak Default Express Session Secret

Flowise: Unauthenticated OAuth 2.0 Access Token Disclosure via Public Chatflow in Flowise

Flowise: Unauthenticated Information Disclosure of OAuth Secrets (Cleartext) via GET Request

Flowise: APIChain Prompt Injection SSRF in GET/POST API Chains

FlowiseAI Pre-Auth Arbitrary Code Execution

FlowiseAI Flowise arbitrary file upload vulnerability

Flowise Allows Mass Assignment in `/api/v1/leads` Endpoint

Flowise Cross-site Scripting in /api/v1/chatflows-streaming/id

Flowise: Improper Mass Assignment in Account Registration Enables Unauthorized Organization Association

Flowise Execute Flow function has an SSRF vulnerability

Flowise: SSRF Protection Bypass via Direct node-fetch / axios Usage (Patch Enforcement Failure)

Flowise: Authenticated RCE Via MCP Adapters

Flowise Cross-site Scripting in /api/v1/public-chatflows/id

Flowise has Authorization Bypass via Spoofed x-request-from Header

Flowise: File Upload Validation Bypass in createAttachment

Flowise: Path Traversal in Vector Store basePath

Flowise vulnerable to RCE via Dynamic function constructor injection

Flowise: SSRF Protection Bypass via Unprotected Built-in HTTP Modules in Custom Function Sandbox

Flowise Stored XSS vulnerability through logs in chatbot

Flowise: Airtable_Agent Code Injection Remote Code Execution Vulnerability

Flowise vulnerable to code injection via api/v1

FlowiseAI/Flosise has File Upload vulnerability

Flowise: CSV Agent Prompt Injection Remote Code Execution Vulnerability

Flowise: Mass Assignment in DocumentStore Create Endpoint Leads to Cross-Workspace Object Takeover (IDOR)

Flowise: Remote code execution vulnerability in AirtableAgent.ts caused by lack of input verification when using `Pandas`.

Flowise: resetPassword Authentication Bypass Vulnerability

Flowise Unauthenticated Denial of Service (DoS) vulnerability

Flowise: Code Injection in CSVAgent leads to Authenticated RCE

Flowise: Weak Default Token Hash Secret

Flowise: Public chatflow endpoints return unsanitized flowData including plaintext API keys, passwords, and credential IDs

Flowise has Insufficient Password Salt Rounds

Flowise: Parameter Override Bypass Remote Command Execution

Flowise has IDOR leading to Account Takeover and Enterprise Feature Bypass via SSO Configuration

Flowise Path Injection at /api/v1/openai-assistants-file

Flowise is vulnerable to arbitrary file exposure through its ReadFileTool

Flowise has Arbitrary File Upload via MIME Spoofing

Flowise Vulnerable to PII Disclosure on Unauthenticated Forgot Password Endpoint

Flowise and Flowise Chat Embed vulnerable to Stored Cross-site Scripting

Flowise: Password Reset Link Sent Over Unsecured HTTP

Flowise Missing Authentication on NVIDIA NIM Endpoints

Flowise: SSRF Protection Bypass (TOCTOU & Default Insecure)

Flowise is vulnerable to arbitrary file write through its WriteFileTool

Flowise Cors Misconfiguration in packages/server/src/index.ts

Flowise: Weak Default JWT Secrets

Flowise affected by Server-Side Request Forgery (SSRF) in HTTP Node Leading to Internal Network Access

Flowise: Authenticated Command Execution and Sandbox Bypass via Puppeteer and Playwright Packages

Flowise Cross-site Scripting in/api/v1/credentials/id

Flowise is vulnerable to stored XSS via "View Messages" allows credential theft in FlowiseAI admin panel

Flowise Vulnerable to SQL Injection via `tableName` Parameter