Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-kzee-t93b-jyg7
Summary
Flowise has Arbitrary File Upload via MIME Spoofing
---

**1. Root Cause**
The vulnerability stems from relying solely on the MIME type without cross-validating the file extension or actual content. This allows attackers to upload executable files (e.g., `.js`, `.php`) or malicious scripts (`.html`) by masquerading them as benign images or documents.

**2. Key Attack Scenarios**

- **Server Compromise (RCE):** An attacker uploads a **Web Shell** and triggers its execution on the server. Successful exploitation grants system privileges, allowing unauthorized access to internal data and full control over the server.
- **Client-Side Attack (Stored XSS):** An attacker uploads files containing malicious scripts (e.g., HTML, SVG). When a victim views the file, the script executes within their browser, leading to session cookie theft and account takeover.

**3. Impact**
This vulnerability is rated as **High** severity. The risk is particularly critical if the system utilizes shared storage (e.g., S3, GCS) or static hosting features, as the compromise could spread to the entire infrastructure and affect other tenants.
Aliases
0
alias CVE-2026-30821
1
alias GHSA-j8g8-j7fc-43v6
Fixed_packages
0
url pkg:npm/flowise@3.0.13
purl pkg:npm/flowise@3.0.13
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/flowise@3.0.13
Affected_packages
References
0
reference_url https://github.com/FlowiseAI/Flowise
reference_id
reference_type
scores
url https://github.com/FlowiseAI/Flowise
1
reference_url https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.13
reference_id
reference_type
scores
url https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.13
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-30821
reference_id CVE-2026-30821
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2026-30821
3
reference_url https://github.com/advisories/GHSA-j8g8-j7fc-43v6
reference_id GHSA-j8g8-j7fc-43v6
reference_type
scores
url https://github.com/advisories/GHSA-j8g8-j7fc-43v6
4
reference_url https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-j8g8-j7fc-43v6
reference_id GHSA-j8g8-j7fc-43v6
reference_type
scores
url https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-j8g8-j7fc-43v6
Weaknesses
0
cwe_id 434
name Unrestricted Upload of File with Dangerous Type
description The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.
1
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
2
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
Exploits
Severity_range_scorenull
Exploitabilitynull
Weighted_severitynull
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-kzee-t93b-jyg7