Flowiseai Flowise-Components vulnerabilities
6 known vulnerabilities affecting flowiseai/flowise-components.
Total CVEs
6
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH4
Vulnerabilities
Page 1 of 1
CVE-2026-40933P2CRITICALCVSS 9.9fixed in 3.1.02026-04-21
CVE-2026-40933 [CRITICAL] CWE-78 CVE-2026-40933: Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, due to unsafe serialization of stdio commands in the MCP adapter, an authenticated attacker can add an MCP stdio server with an arbitrary command, achieving command execution. The vulnerability lies in a bug in the input sanitization from the “C
nvd
CVE-2026-41274P2CRITICALCVSS 9.8fixed in 3.1.02026-04-23
CVE-2026-41274 [CRITICAL] CWE-943 CVE-2026-41274: Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GraphCypherQAChain node forwards user-provided input directly into the Cypher query execution pipeline without proper sanitization. An attacker can inject arbitrary Cypher commands that are executed on the underlying Neo4j database, enablin
nvd
CVE-2026-41137P2HIGHCVSS 8.8fixed in 3.1.02026-04-23
CVE-2026-41137 [HIGH] CWE-94 CVE-2026-41137: Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide a command injection payload that will get interpolated and executed by the server. This vulnerability is fixed in 3.1.0.
nvd
CVE-2026-41271P3HIGHCVSS 8.3fixed in 3.1.02026-04-23
CVE-2026-41271 [HIGH] CWE-918 CVE-2026-41271: Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) vulnerability exists in FlowiseAI's POST/GET API Chain components that allows unauthenticated attackers to force the server to make arbitrary HTTP requests to internal and external systems. By injecting maliciou
nvd
CVE-2026-41270P3HIGHCVSS 8.3fixed in 3.1.02026-04-23
CVE-2026-41270 [HIGH] CWE-284 CVE-2026-41270: Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) protection bypass vulnerability exists in the Custom Function feature. While the application implements SSRF protection via HTTP_DENY_LIST for axios and node-fetch libraries, the built-in Node.js http, https, an
nvd
CVE-2026-41272P3HIGHCVSS 7.1fixed in 3.1.02026-04-23
CVE-2026-41272 [HIGH] CWE-918 CVE-2026-41272: Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the core security wrappers (secureAxiosRequest and secureFetch) intended to prevent Server-Side Request Forgery (SSRF) contain multiple logic flaws. These flaws allow attackers to bypass the allow/deny lists via DNS Rebinding (Time-of-Check Time-of
nvd