Every CVE whose affected-product data names Flowiseai Flowise, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (85)
CVE-2025-71338 — CVSS 10.0 (critical): Flowise contains a path traversal vulnerability in the /api/v1/document-store/loader/process endpoint that allows unauthenticated attackers…
CVE-2025-59528 — CVSS 10.0 (critical): Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, Flowise is vulnerable to remote…
CVE-2026-46442 — CVSS 9.9 (critical): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, POST…
CVE-2026-56274 — CVSS 9.9 (critical): Flowise before 3.1.2 contains multiple OS command injection vulnerabilities in the Custom MCP Server feature due to incomplete command-flag…
CVE-2025-61913 — CVSS 9.9 (critical): Flowise is a drag & drop user interface to build a customized large language model flow. In versions prior to 3.0.8, WriteFileTool and…
CVE-2026-40933 — CVSS 9.9 (critical): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, due to unsafe serialization of…
CVE-2025-34267 — CVSS 9.9 (critical): Flowise v3.0.1 < 3.0.8 and all versions after with 'ALLOW_BUILTIN_DEP' enabled contain an authenticated remote code execution vulnerability…
CVE-2025-26319 — CVSS 9.8 (critical): FlowiseAI Flowise v2.2.6 was discovered to contain an arbitrary file upload vulnerability in /api/v1/attachments.
CVE-2024-8181 — CVSS 9.8 (critical): An Authentication Bypass vulnerability exists in Flowise version 1.8.2. This could allow a remote, unauthenticated attacker to access API…
CVE-2025-58434 — CVSS 9.8 (critical): Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5 and earlier, the…
CVE-2025-71333 — CVSS 9.8 (critical): Flowise through 2.2.4 contains an unauthenticated arbitrary file upload vulnerability in the /api/v1/attachments endpoint when storageType…
CVE-2025-71334 — CVSS 9.8 (critical): Flowise before 3.0.6 (affected versions 2.2.8 and earlier) contains an arbitrary file access vulnerability due to missing validation that…
CVE-2025-71336 — CVSS 9.8 (critical): Flowise before 3.0.6 (affected versions 2.2.7-patch.1 and earlier) contains an unsandboxed remote code execution vulnerability in the…
CVE-2025-8943 — CVSS 9.8 (critical): The Custom MCPs feature is designed to execute OS commands, for instance, using tools like `npx` to spin up local MCP Servers. However…
CVE-2026-30821 — CVSS 9.8 (critical): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, the…
CVE-2026-30824 — CVSS 9.8 (critical): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, the NVIDIA NIM router…
CVE-2026-41264 — CVSS 9.8 (critical): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within…
CVE-2026-41265 — CVSS 9.8 (critical): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within…
CVE-2026-41268 — CVSS 9.8 (critical): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise is vulnerable to a…
CVE-2026-41274 — CVSS 9.8 (critical): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GraphCypherQAChain node…
CVE-2026-41276 — CVSS 9.8 (critical): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, this vulnerability allows remote…
CVE-2026-43995 — CVSS 9.8 (critical): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, multiple tool implementations…
CVE-2024-9148 — CVSS 9.6 (critical): Flowise < 2.1.1 suffers from a Stored Cross-Site vulnerability due to a lack of input sanitization in Flowise Chat Embed < 2.0.0.
CVE-2026-46441 — CVSS 9.6 (critical): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment…
CVE-2026-42861 — CVSS 9.6 (critical): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment…
CVE-2025-71327 — CVSS 9.1 (critical): Flowise contains an authentication bypass vulnerability in the unprotected /api/v1/account/register endpoint that allows unauthenticated…
CVE-2026-56278 — CVSS 9.1 (critical): Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses a weak hardcoded default secret ('flowise') for the express-session…
CVE-2026-46440 — CVSS 9.1 (critical): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, the checkBasicAuth…
CVE-2026-46475 — CVSS 8.8 (high): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, assistant create and…
CVE-2026-46444 — CVSS 8.8 (high): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, all CRUD endpoints for…
CVE-2026-30823 — CVSS 8.8 (high): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, there is an IDOR…
CVE-2026-30820 — CVSS 8.8 (high): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, Flowise trusts any HTTP…
CVE-2026-46480 — CVSS 8.8 (high): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, evaluator create and…
CVE-2026-46479 — CVSS 8.8 (high): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, evaluation create and…
CVE-2026-46478 — CVSS 8.8 (high): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, DatasetRow create and…
CVE-2026-46477 — CVSS 8.8 (high): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, dataset create and update…
CVE-2026-46476 — CVSS 8.8 (high): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, CustomTemplate create and…
CVE-2026-41137 — CVSS 8.8 (high): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a…
CVE-2026-41138 — CVSS 8.8 (high): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, there is a remote code execution…
CVE-2026-41277 — CVSS 8.8 (high): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Mass Assignment vulnerability in…
CVE-2025-71328 — CVSS 8.3 (high): Flowise before 3.0.10 contains an unverified password change vulnerability. An authenticated user can change their account password through…
CVE-2026-41271 — CVSS 8.3 (high): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery…
CVE-2025-71337 — CVSS 8.3 (high): Flowise before 3.0.10 (affected versions 3.0.7 and earlier) contains an unverified email change vulnerability. An authenticated user can…
CVE-2025-61687 — CVSS 8.3 (high): Flowise is a drag & drop user interface to build a customized large language model flow. A file upload vulnerability in version 3.0.7 of…
CVE-2026-41273 — CVSS 8.2 (high): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise contains an authentication…
CVE-2025-29192 — CVSS 8.2 (high): Flowise before 3.0.5 allows XSS via a FORM element and an INPUT element when an admin views the chat log.
CVE-2026-42863 — CVSS 8.1 (high): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment…
CVE-2025-71335 — CVSS 8.1 (high): Flowise before 3.0.10 (affected versions 3.0.7 and earlier) fails to invalidate existing sessions and session tokens after a user changes…
CVE-2026-41267 — CVSS 8.1 (high): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, an improper mass assignment (JSON…
CVE-2026-56268 — CVSS 7.7 (high): Flowise before 3.1.2 contains an information disclosure vulnerability in the /api/v1/chatflows/apikey/:apikey endpoint. When the keyonly…
CVE-2026-30822 — CVSS 7.7 (high): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, unauthenticated users can…
CVE-2024-31621 — CVSS 7.6 (high): An issue in FlowiseAI Inc Flowise v.1.6.2 and before allows a remote attacker to execute arbitrary code via a crafted script to the api/v1…
CVE-2025-29189 — CVSS 7.6 (high): Flowise <= 2.2.3 is vulnerable to SQL Injection. via tableName parameter at Postgres_VectorStores.
CVE-2026-41279 — CVSS 7.5 (high): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the text-to-speech generation…
CVE-2025-71324 — CVSS 7.5 (high): Flowise before 3.0.6 contains an arbitrary file read vulnerability in the chatId parameter of the /api/v1/get-upload-file and…
CVE-2026-41266 — CVSS 7.5 (high): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, /api/v1/public-chatbotConfig/:id…
CVE-2024-8182 — CVSS 7.5 (high): An Unauthenticated Denial of Service (DoS) vulnerability exists in Flowise version 1.8.2 leading to a complete crash of the instance…
CVE-2024-36420 — CVSS 7.5 (high): Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, the…
CVE-2026-56270 — CVSS 7.5 (high): Flowise before 3.1.0 (versions 3.0.13 and earlier) contains a missing authentication vulnerability in the /api/v1/loginmethod endpoint that…
CVE-2025-59527 — CVSS 7.5 (high): Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, a Server-Side Request Forgery…
CVE-2026-41275 — CVSS 7.5 (high): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the password reset functionality…
CVE-2024-36421 — CVSS 7.5 (high): Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, A CORS…
CVE-2026-41278 — CVSS 7.5 (high): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GET /api/v1/public-chatflows/:i…
CVE-2026-41269 — CVSS 7.1 (high): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the Chatflow configuration file…
CVE-2026-41270 — CVSS 7.1 (high): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery…
CVE-2026-41272 — CVSS 7.1 (high): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the core security wrappers…
CVE-2026-31829 — CVSS 7.1 (high): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.0.13, Flowise exposes an HTTP Node in…
CVE-2026-56275 — CVSS 7.1 (high): Flowise before 3.1.0 contains a server-side request forgery vulnerability in the Execute Flow node that allows attackers to bypass security…
CVE-2025-71332 — CVSS 6.5 (medium): Flowise through 2.2.7 contains a SQL injection vulnerability in the importChatflows API. Due to insufficient validation of the chatflow.id…
CVE-2026-46443 — CVSS 6.5 (medium): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, when credentials are…
CVE-2026-56277 — CVSS 6.5 (medium): Flowise before 3.1.2 sets Access-Control-Allow-Origin to a hardcoded wildcard (*) on its text-to-speech (TTS) generation endpoint…
CVE-2025-57164 — CVSS 6.5 (medium): Flowise through v3.0.4 is vulnerable to remote code execution via unsanitized evaluation of user input in the "Supabase RPC Filter" field.
CVE-2024-36422 — CVSS 6.1 (medium): Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected…
CVE-2024-37146 — CVSS 6.1 (medium): Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected…
CVE-2024-37145 — CVSS 6.1 (medium): Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected…
CVE-2025-71331 — CVSS 6.1 (medium): Flowise before 3.0.8 contains a cross-site scripting (XSS) vulnerability caused by insufficient input filtering in chat messages and custom…
CVE-2024-36423 — CVSS 6.1 (medium): Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected…
CVE-2026-58057 — CVSS 5.0 (medium): Flowise before 3.1.3 validates Custom MCP stdio environment variables against a denylist using a case-sensitive comparison, so on Windows…
CVE-2026-42862 — CVSS 5.0 (medium): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment…
CVE-2026-56269 — CVSS 4.6 (medium): Flowise before 3.1.0 (npm package flowise, versions 3.0.13 and earlier) uses a weak hardcoded default value 'Secre$t' for the…
CVE-2026-8027 — CVSS 4.3 (medium): A weakness has been identified in FlowiseAI Flowise up to 3.0.12. Affected by this vulnerability is an unknown functionality of the…
CVE-2026-56272 — CVSS 4.1 (medium): Flowise before 3.0.13 uses bcrypt with default salt rounds of 5, providing only 32 iterations instead of the OWASP-recommended minimum of…
CVE-2026-8026 — CVSS 3.7 (low): A security flaw has been discovered in FlowiseAI Flowise up to 3.0.12. Affected is the function Login of the file packages/server/src/enterp…
CVE-2026-8028 — CVSS 3.7 (low): A vulnerability was detected in FlowiseAI Flowise up to 3.0.12. This affects the function verify of the file packages/server/src/enterprise/…