AI Threat Alert

Flowise Vulnerabilities

npm AI Agents

80

Total CVEs

16

Critical

npm

Ecosystem

May 20, 2026

Last CVE

61%

Patch Rate

1d

Avg Time to Patch

Known Vulnerabilities (80 total, page 2 of 4)

Severity CVE ID Summary CVSS Published

HIGH CVE-2026-41275 Flowise: HTTP password reset link allows MITM takeover 7.5 Apr 23, 2026 HIGH CVE-2026-41273 Flowise: auth bypass exposes OAuth 2.0 tokens 8.2 Apr 23, 2026 HIGH CVE-2026-41272 Flowise: SSRF bypass via DNS rebinding exposes internal networks 7.1 Apr 23, 2026 HIGH CVE-2026-41271 Flowise: SSRF via prompt template injection in API Chain 8.3 Apr 23, 2026 HIGH CVE-2026-41270 Flowise: SSRF bypass exposes cloud metadata services 8.3 Apr 23, 2026 HIGH CVE-2026-41269 Flowise: unrestricted file upload enables persistent RCE 8.8 Apr 23, 2026 CRITICAL CVE-2026-41268 Flowise: unauthenticated RCE via NODE_OPTIONS env injection 9.8 Apr 23, 2026 CRITICAL CVE-2026-41267 Flowise: mass assignment auth bypass in registration 9.8 Apr 23, 2026 HIGH CVE-2026-41266 Flowise: unauthenticated API key exposure via chatbot config 7.5 Apr 23, 2026 CRITICAL CVE-2026-41265 Flowise: RCE via prompt injection in Airtable Agent 9.8 Apr 23, 2026 HIGH CVE-2026-41138 Flowise: RCE via unsanitized input in AirtableAgent 8.8 Apr 23, 2026 HIGH CVE-2026-41137 Flowise: RCE via CSVAgent unsanitized code injection 8.8 Apr 23, 2026 CRITICAL CVE-2026-41264 Flowise: prompt injection → unsandboxed RCE via CSV Agent 9.8 Apr 21, 2026 CRITICAL GHSA-v38x-c887-992f Flowise: prompt injection bypasses Python sandbox RCE -- Apr 18, 2026 HIGH GHSA-3prp-9gf7-4rxx Flowise: Mass assignment enables cross-tenant store takeover -- Apr 17, 2026 HIGH GHSA-w47f-j8rh-wx87 Flowise: credential exposure via public chatflow API -- Apr 17, 2026 HIGH GHSA-5fw2-mwhh-9947 Flowise: unauth TTS endpoint exposes stored AI API keys -- Apr 17, 2026 CRITICAL CVE-2026-40933 Flowise: RCE via MCP stdio command injection 9.9 Apr 16, 2026 MEDIUM GHSA-6pcv-j4jx-m4vx Flowise: unauthenticated SSO config exposes OAuth secrets 5.3 Apr 16, 2026 MEDIUM GHSA-cc4f-hjpj-g9p8 Flowise: hardcoded JWT defaults enable full auth bypass 5.6 Apr 16, 2026 MEDIUM GHSA-2qqc-p94c-hxwh Flowise: hardcoded session secret enables auth bypass 5.6 Apr 16, 2026 MEDIUM GHSA-m7mq-85xj-9x33 Flowise: hardcoded default key enables JWT token forgery 5.6 Apr 16, 2026 MEDIUM GHSA-w6v6-49gh-mc9w Flowise: path traversal allows arbitrary file write via vector store -- Apr 16, 2026 MEDIUM GHSA-qqvm-66q4-vf5c Flowise: SSRF bypass enables cloud credential theft -- Apr 16, 2026 MEDIUM GHSA-9hrv-gvrv-6gf2 Flowise: SSRF bypass enables cloud metadata access -- Apr 16, 2026

Showing 26–50 of 80

← Previous Next →

Monitor Flowise in your stack

Get instant alerts when new vulnerabilities affect Flowise. CISO analysis, ATLAS technique mappings, and compliance reports included.

Start Monitoring