flowise-components
npm11 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting flowise-componentspage 1 of 1
- CVE-2026-40933CRITICALCVSS 9.9EG 9.9✓ Fixed in 3.1.02026-04-21
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, due to unsafe serialization of stdio commands in the MCP adapter, an authenticated attacker can add an MCP stdio server with an arbitr…
- CVE-2026-41137HIGHCVSS 8.8EG 8.8✓ Fixed in 3.1.02026-04-23
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide a command injection …
- CVE-2026-41138HIGHCVSS 8.8EG 8.8✓ Fixed in 3.1.02026-04-23
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, there is a remote code execution vulnerability in AirtableAgent.ts caused by lack of input verification when using Pandas. The user’…
- CVE-2026-41264CRITICALCVSS 9.8EG 9.8✓ Fixed in 3.1.02026-04-23
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the CSV_Agents class. The issue results from the lack of proper sandboxing when eval…
- CVE-2026-41265CRITICALCVSS 9.8EG 9.8✓ Fixed in 3.1.02026-04-23
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the Airtable_Agents class. The issue results from the lack of proper sandboxing when…
- CVE-2026-41268CRITICALCVSS 9.8EG 9.8✓ Fixed in 3.1.02026-04-23
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise is vulnerable to a critical unauthenticated remote command execution (RCE) vulnerability. It can be exploited via a parameter …
- CVE-2026-41270HIGHCVSS 7.1EG 7.1✓ Fixed in 3.1.02026-04-23
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) protection bypass vulnerability exists in the Custom Function feature. While the application impl…
- CVE-2026-41271HIGHCVSS 8.3EG 8.3✓ Fixed in 3.1.02026-04-23
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) vulnerability exists in FlowiseAI's POST/GET API Chain components that allows unauthenticated att…
- CVE-2026-41272HIGHCVSS 7.1EG 7.1✓ Fixed in 3.1.02026-04-23
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the core security wrappers (secureAxiosRequest and secureFetch) intended to prevent Server-Side Request Forgery (SSRF) contain multipl…
- CVE-2026-41274CRITICALCVSS 9.8EG 9.8✓ Fixed in 3.1.02026-04-23
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GraphCypherQAChain node forwards user-provided input directly into the Cypher query execution pipeline without proper sanitization…
- CVE-2026-43995CRITICALCVSS 9.8EG 9.8✓ Fixed in 3.1.02026-05-11
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, multiple tool implementations directly import and invoke raw HTTP clients (node-fetch, axios) instead of using the secured wrapper. Th…
Check whether flowise-components is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for flowise-components CVEs against the assets you own.
Start Free Scan →