Vulnerabilities in Flowise
20 resultsCVE-2026-56274HIGHFlowise - Remote Code Execution via MCP Security Bypass in validateCommandFlags and validateArgsForLocalFileAccessEPSS 1.7%CVE-2024-58351CRITICALFlowise - Remote Code Execution via overrideConfig ParameterEPSS 0.6%CVE-2026-56270HIGHFlowise - Unauthenticated OAuth Secrets Disclosure via /api/v1/loginmethod EndpointEPSS 0.4%CVE-2026-56267MEDIUMFlowise - PII Disclosure via Unauthenticated Forgot Password EndpointEPSS 0.3%CVE-2025-71337HIGHFlowise - Unverified Email Change via Account Profile EndpointEPSS 0.3%CVE-2026-56268MEDIUMFlowise - Cross-Workspace Information Disclosure via chatflows/apikey EndpointEPSS 0.3%CVE-2026-56276MEDIUMFlowise - Mass Assignment in PUT /api/v1/user Allows Password Hash OverrideEPSS 0.3%CVE-2025-71332HIGHFlowise - SQL Injection in importChatflows API via chatflow.id ParameterEPSS 0.2%CVE-2025-71331MEDIUMFlowise - Cross-Site Scripting in Chat Messages and Agent WorkflowsEPSS 0.2%CVE-2026-56275MEDIUMFlowise - Server-Side Request Forgery via Execute Flow Base URLEPSS 0.2%CVE-2026-56269MEDIUMFlowise - Weak Default Token Hash Secret in JWT Token EncryptionEPSS 0.1%CVE-2026-56272MEDIUMFlowise - Insufficient Password Salt Rounds in Bcrypt HashingEPSS 0.1%CVE-2025-71335HIGHFlowise - Session Invalidation Failure After Password ChangeEPSS —CVE-2025-71336CRITICALFlowise - Unsandboxed Remote Code Execution via Custom MCPEPSS —CVE-2025-71333CRITICALFlowise - Arbitrary File Upload via Unauthenticated /api/v1/attachments EndpointEPSS —CVE-2025-71327CRITICALFlowise - Authentication Bypass via Unprotected Registration EndpointEPSS —CVE-2025-71338CRITICALFlowise - Arbitrary File Write to Remote Code Execution via document-store APIEPSS —CVE-2025-71328HIGHFlowise - Unverified Password Change via Account SettingsEPSS —CVE-2025-71334CRITICALFlowise - Arbitrary File Access via Missing Chat Flow ID ValidationEPSS —CVE-2025-71324HIGHFlowise - Arbitrary File Read via chatId ParameterEPSS —