pkg:npm/flowise-components

All known vulnerabilities

• CRITICAL9.9CVE-2026-40933Flowise: Authenticated RCE Via MCP Adapters
  from 0, < 3.1.0
• CRITICAL9.8CVE-2026-41264Flowise: CSV Agent Prompt Injection Remote Code Execution Vulnerability
  from 0, < 3.1.0
• CRITICAL9.8CVE-2026-41265Flowise: Airtable_Agent Code Injection Remote Code Execution Vulnerability
  from 0, < 3.1.0
• HIGH8.8CVE-2026-41137Flowise: Code Injection in CSVAgent leads to Authenticated RCE
  from 0, < 3.1.0
• HIGH8.3CVE-2026-41138Flowise: Remote code execution vulnerability in AirtableAgent.ts caused by lack of input verification when using `Pandas`.
  from 0, < 3.1.0
• HIGH7.7CVE-2026-41268Flowise: Parameter Override Bypass Remote Command Execution
  from 0, < 3.1.0
• HIGH7.7CVE-2025-61913Flowise is vulnerable to arbitrary file write through its WriteFileTool
  from 0, < 3.0.8
• HIGH7.7CVE-2025-61913Flowise is vulnerable to arbitrary file write through its WriteFileTool
  from 0, < 3.0.8
• HIGH7.6CVE-2025-29189Flowise Vulnerable to SQL Injection via `tableName` Parameter
  from 0, < 2.2.4
• HIGH7.1CVE-2026-41271Flowise: APIChain Prompt Injection SSRF in GET/POST API Chains
  from 0, < 3.1.0
• HIGH7.1CVE-2026-41272Flowise: SSRF Protection Bypass (TOCTOU & Default Insecure)
  from 0, < 3.1.0
• HIGH7.1CVE-2026-41270Flowise: SSRF Protection Bypass via Unprotected Built-in HTTP Modules in Custom Function Sandbox
  from 0, < 3.1.0
• HIGH7.1CVE-2026-31829Flowise affected by Server-Side Request Forgery (SSRF) in HTTP Node Leading to Internal Network Access
  from 0, < 3.0.13
• —CVE-2026-41274Flowise: Cypher Injection in GraphCypherQAChain
  from 0, < 3.1.0
• —CVE-2026-43995Flowise: SSRF Protection Bypass via Direct node-fetch / axios Usage (Patch Enforcement Failure)
  from 0, < 3.1.0