Vulnerabilities (CVE)

  1. OpenCVE
  2. Vulnerabilities (CVE)
Filtered by vendor Flowiseai Subscribe
Total 65 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-36421 1 Flowiseai 1 Flowise 2024-11-21 N/A 7.5 HIGH
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, A CORS misconfiguration sets the Access-Control-Allow-Origin header to all, allowing arbitrary origins to connect to the website. In the default configuration (unauthenticated), arbitrary origins may be able to make requests to Flowise, stealing information from the user. This CORS misconfiguration may be chained with the path injection to allow an attacker attackers without access to Flowise to read arbitrary files from the Flowise server. As of time of publication, no known patches are available.
CVE-2024-36420 1 Flowiseai 1 Flowise 2024-11-21 N/A 7.5 HIGH
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, the `/api/v1/openai-assistants-file` endpoint in `index.ts` is vulnerable to arbitrary file read due to lack of sanitization of the `fileName` body parameter. No known patches for this issue are available.
CVE-2024-9148 1 Flowiseai 2 Embed, Flowise 2024-09-30 N/A 6.1 MEDIUM
Flowise < 2.1.1 suffers from a Stored Cross-Site vulnerability due to a lack of input sanitization in Flowise Chat Embed < 2.0.0.
CVE-2024-8181 1 Flowiseai 1 Flowise 2024-09-06 N/A 8.1 HIGH
An Authentication Bypass vulnerability exists in Flowise version 1.8.2. This could allow a remote, unauthenticated attacker to access API endpoints as an administrator and allow them to access restricted functionality.
CVE-2024-8182 1 Flowiseai 1 Flowise 2024-08-30 N/A 7.5 HIGH
An Unauthenticated Denial of Service (DoS) vulnerability exists in Flowise version 1.8.2 leading to a complete crash of the instance running a vulnerable version due to improper handling of user supplied input to the “/api/v1/get-upload-file” api endpoint.