AI Threat Alert

Flowise Vulnerabilities

npm AI Agents

80

Total CVEs

16

Critical

npm

Ecosystem

May 20, 2026

Last CVE

61%

Patch Rate

1d

Avg Time to Patch

Known Vulnerabilities (80 total, page 3 of 4)

Severity CVE ID Summary CVSS Published

HIGH GHSA-f228-chmx-v6j6 Flowise: prompt injection RCE via AirtableAgent 8.3 Apr 16, 2026 CRITICAL GHSA-9wc7-mj3f-74xv Flowise CSVAgent: RCE via Python code injection -- Apr 16, 2026 HIGH GHSA-48m6-ch88-55mj Flowise: Mass Assignment allows cross-tenant org takeover 8.1 Apr 16, 2026 HIGH GHSA-4jpm-cgx2-8h37 Flowise: unauth API exposes plaintext API keys and tokens -- Apr 16, 2026 HIGH GHSA-cvrr-qhgw-2mm6 Flowise: unauthenticated RCE via FILE-STORAGE bypass 7.7 Apr 16, 2026 HIGH GHSA-rh7v-6w34-w2rr Flowise: MIME bypass enables persistent Node.js web shell RCE 7.1 Apr 16, 2026 HIGH GHSA-xhmj-rg95-44hv Flowise: SSRF bypass exposes cloud IAM credentials 7.1 Apr 16, 2026 HIGH GHSA-2x8m-83vc-6wv4 Flowise: SSRF bypass exposes internal services 7.1 Apr 16, 2026 HIGH GHSA-6r77-hqx7-7vw8 FlowiseAI: SSRF via prompt injection in API Chain 7.1 Apr 16, 2026 HIGH GHSA-6f7g-v4pp-r667 Flowise: OAuth token theft via unauthenticated endpoint -- Apr 16, 2026 HIGH GHSA-x5w6-38gp-mrqh Flowise: HTTP reset link exposes tokens to MITM takeover -- Apr 16, 2026 HIGH GHSA-28g4-38q8-3cwc Flowise: Cypher injection allows full Neo4j DB wipe -- Apr 16, 2026 HIGH GHSA-f6hc-c5jr-878p Flowise: auth bypass enables account takeover via null token -- Apr 16, 2026 HIGH CVE-2026-31829 Flowise: SSRF via HTTP Node exposes internal network 8.8 Mar 10, 2026 CRITICAL CVE-2026-30824 Flowise: auth bypass exposes NVIDIA NIM container endpoints 9.8 Mar 7, 2026 UNKNOWN CVE-2026-30823 Flowise: IDOR enables account takeover and SSO bypass -- Mar 7, 2026 UNKNOWN CVE-2026-30822 Flowise: mass assignment allows unauthenticated DB injection -- Mar 7, 2026 CRITICAL CVE-2026-30821 flowise: Arbitrary File Upload enables RCE 9.8 Mar 7, 2026 HIGH CVE-2026-30820 Flowise: header spoof auth bypass exposes admin API & creds 8.8 Mar 7, 2026 CRITICAL CVE-2025-61913 Flowise: path traversal in file tools leads to RCE 9.9 Oct 8, 2025 HIGH CVE-2025-61687 Flowise: unrestricted file upload enables persistent RCE 8.8 Oct 6, 2025 CRITICAL CVE-2025-59528 Flowise: Unauthenticated RCE via MCP config injection 10.0 Sep 22, 2025 HIGH CVE-2025-59527 Flowise: unauthenticated SSRF exposes internal network 7.5 Sep 22, 2025 CRITICAL CVE-2025-58434 Flowise: auth bypass in reset flow allows full ATO 9.8 Sep 12, 2025 MEDIUM CVE-2024-37146 Flowise: reflected XSS enables credential theft 6.1 Jul 1, 2024

Showing 51–75 of 80

← Previous Next →

Monitor Flowise in your stack

Get instant alerts when new vulnerabilities affect Flowise. CISO analysis, ATLAS technique mappings, and compliance reports included.

Start Monitoring