Package impact

npm / flowise

critical high medium low unknown

0

KEV Has exploit

CVE	Severity	CVSS	Risk	Flags	OS	Vendor	Published	Description
CVE-2026-43995	critical	9.8	9.8				23d ago	Flowise: SSRF Protection Bypass via Direct node-fetch / axios Usage (Patch Enforcement Failure)
CVE-2026-41274	critical	9.8	9.8				1mo ago	Flowise: Cypher Injection in GraphCypherQAChain
CVE-2026-46442	critical	—	9.5				20d ago	FlowiseAI: Authenticated Host RCE via POST /api/v1/node-custom-function and NodeVM Sandbox Escape
CVE-2026-46480	high	—	8.0				20d ago	FlowiseAI: Evaluator create+update mass-assignment allows cross-workspace evaluator takeover
CVE-2026-46479	high	—	8.0				20d ago	FlowiseAI: Evaluation create+update mass-assignment allows cross-workspace evaluation takeover
CVE-2026-46478	high	—	8.0				20d ago	FlowiseAI: DatasetRow create+update mass-assignment allows cross-workspace row takeover
CVE-2026-46477	high	—	8.0				20d ago	FlowiseAI: Dataset create+update mass-assignment allows cross-workspace dataset takeover
CVE-2026-46476	high	—	8.0				20d ago	FlowiseAI: CustomTemplate create+update mass-assignment allows cross-workspace template takeover
CVE-2026-46475	high	—	8.0				20d ago	FlowiseAI: Assistant create+update mass-assignment allows cross-workspace assistant takeover
CVE-2026-46444	high	—	8.0				20d ago	FlowiseAI: Vector Store No Permission Checks
CVE-2026-46443	high	—	8.0				20d ago	FlowiseAI Vulnerable to Credential Data Leak
CVE-2026-46441	high	—	8.0				20d ago	FlowiseAI has Mass Assignment in Assistant Update Endpoint that Allows Cross-Workspace Resource Reassignment
CVE-2026-46440	high	—	8.0				21d ago	FlowiseAI Exposes Basic Auth Credentials via API
CVE-2026-42863	high	—	8.0				21d ago	FlowiseAI has Mass Assignment in Chatflow Update Endpoint that Allows Cross-Workspace AgentFlow Reassignment
CVE-2026-42862	high	—	8.0				21d ago	FlowiseAI has Mass Assignment in Tool Update Endpoint that Allows Cross-Workspace Resource Reassignment
CVE-2026-42861	high	—	8.0				21d ago	FlowiseAI has Mass Assignment in Variable Update Endpoint that Allows Cross-Workspace Resource Reassignment
CVE-2026-8026	medium	5.3	5.3				29d ago	Flowise: Bcrypt Password Hash Exposure
CVE-2025-59528	unknown	—	1.0				9mo ago	Flowise has Remote Code Execution vulnerability
CVE-2025-58434	unknown	—	1.0				9mo ago	Flowise Cloud and Local Deployments have Unauthenticated Password Reset Token Disclosure that Leads to Account Takeover
CVE-2025-8943	unknown	—	1.0				10mo ago	Flowise OS command remote code execution
CVE-2024-31621	unknown	—	1.0				2y ago	Flowise vulnerable to code injection via api/v1
CVE-2026-41264	unknown	—	—				1mo ago	Flowise: CSV Agent Prompt Injection Remote Code Execution Vulnerability
CVE-2026-41265	unknown	—	—				2mo ago	Flowise: Airtable_Agent Code Injection Remote Code Execution Vulnerability
CVE-2026-41279	unknown	—	—				2mo ago	Flowise: Unauthenticated TTS endpoint accepts arbitrary credential IDs — enables API credit abuse via stored credentials
CVE-2026-41278	unknown	—	—				2mo ago	Flowise: Public chatflow endpoints return unsanitized flowData including plaintext API keys, passwords, and credential IDs
CVE-2026-41277	unknown	—	—				2mo ago	Flowise: Mass Assignment in DocumentStore Create Endpoint Leads to Cross-Workspace Object Takeover (IDOR)
CVE-2026-41276	unknown	—	—				2mo ago	Flowise: resetPassword Authentication Bypass Vulnerability
CVE-2026-41275	unknown	—	—				2mo ago	Flowise: Password Reset Link Sent Over Unsecured HTTP
CVE-2026-41273	unknown	—	—				2mo ago	Flowise: Unauthenticated OAuth 2.0 Access Token Disclosure via Public Chatflow in Flowise
CVE-2026-41271	unknown	—	—				2mo ago	Flowise: APIChain Prompt Injection SSRF in GET/POST API Chains
CVE-2026-41272	unknown	—	—				2mo ago	Flowise: SSRF Protection Bypass (TOCTOU & Default Insecure)
CVE-2026-41270	unknown	—	—				2mo ago	Flowise: SSRF Protection Bypass via Unprotected Built-in HTTP Modules in Custom Function Sandbox
CVE-2026-41269	unknown	—	—				2mo ago	Flowise: File Upload Validation Bypass in createAttachment
CVE-2026-41268	unknown	—	—				2mo ago	Flowise: Parameter Override Bypass Remote Command Execution
CVE-2026-41266	unknown	—	—				2mo ago	Flowise: Sensitive Data Leak in public-chatbotConfig
CVE-2026-41267	unknown	—	—				2mo ago	Flowise: Improper Mass Assignment in Account Registration Enables Unauthorized Organization Association
CVE-2026-41137	unknown	—	—				2mo ago	Flowise: Code Injection in CSVAgent leads to Authenticated RCE
CVE-2026-41138	unknown	—	—				2mo ago	Flowise: Remote code execution vulnerability in AirtableAgent.ts caused by lack of input verification when using `Pandas`.
CVE-2026-40933	unknown	—	—				2mo ago	Flowise: Authenticated RCE Via MCP Adapters
CVE-2026-31829	unknown	—	—				3mo ago	Flowise affected by Server-Side Request Forgery (SSRF) in HTTP Node Leading to Internal Network Access
CVE-2026-30824	unknown	—	—				3mo ago	Flowise Missing Authentication on NVIDIA NIM Endpoints
CVE-2026-30823	unknown	—	—				3mo ago	Flowise has IDOR leading to Account Takeover and Enterprise Feature Bypass via SSO Configuration
CVE-2026-30822	unknown	—	—				3mo ago	Flowise Allows Mass Assignment in `/api/v1/leads` Endpoint
CVE-2026-30821	unknown	—	—				3mo ago	Flowise has Arbitrary File Upload via MIME Spoofing
CVE-2026-30820	unknown	—	—				3mo ago	Flowise has Authorization Bypass via Spoofed x-request-from Header
CVE-2025-34267	unknown	—	—				8mo ago	Flowise: Authenticated Command Execution and Sandbox Bypass via Puppeteer and Playwright Packages
CVE-2025-61913	unknown	—	—				8mo ago	Flowise is vulnerable to arbitrary file write through its WriteFileTool
CVE-2025-61687	unknown	—	—				8mo ago	FlowiseAI/Flosise has File Upload vulnerability
CVE-2025-55346	unknown	—	—				8mo ago	Flowise vulnerable to RCE via Dynamic function constructor injection
CVE-2025-29192	unknown	—	—				8mo ago	Flowise Stored XSS vulnerability through logs in chatbot
CVE-2025-50538	unknown	—	—				8mo ago	Flowise is vulnerable to stored XSS via "View Messages" allows credential theft in FlowiseAI admin panel
CVE-2025-59527	unknown	—	—				9mo ago	FlowiseAI/Flowise has Server-Side Request Forgery (SSRF) vulnerability
CVE-2025-57164	unknown	—	—				9mo ago	FlowiseAI Pre-Auth Arbitrary Code Execution
CVE-2025-26319	unknown	—	—				1y ago	FlowiseAI Flowise arbitrary file upload vulnerability
CVE-2024-9148	unknown	—	—				2y ago	Flowise and Flowise Chat Embed vulnerable to Stored Cross-site Scripting
CVE-2024-8182	unknown	—	—				2y ago	Flowise Unauthenticated Denial of Service (DoS) vulnerability
CVE-2024-8181	unknown	—	—				2y ago	Flowise Authentication Bypass vulnerability
CVE-2024-37146	unknown	—	—				2y ago	Flowise Cross-site Scripting in/api/v1/credentials/id
CVE-2024-37145	unknown	—	—				2y ago	Flowise Cross-site Scripting in /api/v1/chatflows-streaming/id
CVE-2024-36423	unknown	—	—				2y ago	Flowise Cross-site Scripting in /api/v1/public-chatflows/id
CVE-2024-36422	unknown	—	—				2y ago	Flowise Cross-site Scripting in api/v1/chatflows/id
CVE-2024-36421	unknown	—	—				2y ago	Flowise Cors Misconfiguration in packages/server/src/index.ts
CVE-2024-36420	unknown	—	—				2y ago	Flowise Path Injection at /api/v1/openai-assistants-file