GHSA-c3hj-m5hq-59xwCriticalCVSS 10.0

Flowise contains a path traversal vulnerability in the /api/v1/document-store/loader/process...

Published
June 26, 2026
Last Modified
June 26, 2026

🔗 CVE IDs covered (1)

📋 Description

Flowise contains a path traversal vulnerability in the /api/v1/document-store/loader/process endpoint that allows unauthenticated attackers to write arbitrary files to the filesystem. Attackers can exploit unsanitized fileName parameters with ../ sequences to overwrite critical files like package.json and achieve remote code execution when the application restarts.

🔗 References (4)