flowise-components
npm14 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting flowise-componentspage 1 of 1
- CVE-2025-29189HIGHCVSS 7.6EG 7.6✓ Fixed in 2.2.42025-04-09
Flowise <= 2.2.3 is vulnerable to SQL Injection. via tableName parameter at Postgres_VectorStores.
- CVE-2025-61913CRITICALCVSS 9.9EG 9.9✓ Fixed in 3.0.82025-10-08
Flowise is a drag & drop user interface to build a customized large language model flow. In versions prior to 3.0.8, WriteFileTool and ReadFileTool in Flowise do not restrict file path access, allowing authenticated attackers to exploit th…
- CVE-2026-40933CRITICALCVSS 9.9EG 9.9✓ Fixed in 3.1.02026-04-21
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, due to unsafe serialization of stdio commands in the MCP adapter, an authenticated attacker can add an MCP stdio server with an arbitr…
- CVE-2026-41137HIGHCVSS 8.8EG 8.8✓ Fixed in 3.1.02026-04-23
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide a command injection …
- CVE-2026-41138HIGHCVSS 8.8EG 8.8✓ Fixed in 3.1.02026-04-23
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, there is a remote code execution vulnerability in AirtableAgent.ts caused by lack of input verification when using Pandas. The user’…
- CVE-2026-41264CRITICALCVSS 9.8EG 9.8✓ Fixed in 3.1.02026-04-23
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the CSV_Agents class. The issue results from the lack of proper sandboxing when eval…
- CVE-2026-41265CRITICALCVSS 9.8EG 9.8✓ Fixed in 3.1.02026-04-23
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the Airtable_Agents class. The issue results from the lack of proper sandboxing when…
- CVE-2026-41268CRITICALCVSS 9.8EG 9.8✓ Fixed in 3.1.02026-04-23
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise is vulnerable to a critical unauthenticated remote command execution (RCE) vulnerability. It can be exploited via a parameter …
- CVE-2026-41270HIGHCVSS 7.1EG 7.1✓ Fixed in 3.1.02026-04-23
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) protection bypass vulnerability exists in the Custom Function feature. While the application impl…
- CVE-2026-41271HIGHCVSS 8.3EG 8.3✓ Fixed in 3.1.02026-04-23
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) vulnerability exists in FlowiseAI's POST/GET API Chain components that allows unauthenticated att…
- CVE-2026-41272HIGHCVSS 7.1EG 7.1✓ Fixed in 3.1.02026-04-23
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the core security wrappers (secureAxiosRequest and secureFetch) intended to prevent Server-Side Request Forgery (SSRF) contain multipl…
- CVE-2026-41274CRITICALCVSS 9.8EG 9.8✓ Fixed in 3.1.02026-04-23
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GraphCypherQAChain node forwards user-provided input directly into the Cypher query execution pipeline without proper sanitization…
- CVE-2026-43995CRITICALCVSS 9.8EG 9.8✓ Fixed in 3.1.02026-05-11
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, multiple tool implementations directly import and invoke raw HTTP clients (node-fetch, axios) instead of using the secured wrapper. Th…
- CVE-2026-56273MEDIUMCVSS 6.5EG 6.5✓ Fixed in 3.1.02026-07-08
Flowise before 3.1.0 contains a path traversal vulnerability in Faiss and SimpleStore vector store implementations that accept unsanitized basePath parameters from authenticated users. Attackers with valid API tokens can write vector store…
Check whether flowise-components is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for flowise-components CVEs against the assets you own.
Start Free Scan →