CVE-2026-43995

9.8 CRITICAL

Flowise is a drag & drop user interface to build a customized large language model flow

Published: 2026-05-11 · Last updated: 2026-05-20

Severity and scoring

CVSS: 9.8 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-918

Affected products

Vendor	Product
flowiseai	flowise

Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, multiple tool implementations directly import and invoke raw HTTP clients (node-fetch, axios) instead of using the secured wrapper. These tools include (1) OpenAPIToolkit/OpenAPIToolkit.ts, (2) WebScraperTool/WebScraperTool.ts, (3) MCP/core.ts, and (4) Arxiv/core.ts. This vulnerability is fixed in 3.1.0.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-43995
[Vendor advisory]https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-qqvm-66q4-vf5c
[Vendor advisory]https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-qqvm-66q4-vf5c

Related CVEs

Same vendor

CVE-2026-46480 — Flowise is a drag & drop user interface to build a customized large language model flow (8.8 HIGH)
CVE-2026-46444 — Flowise is a drag & drop user interface to build a customized large language model flow (8.8 HIGH)
CVE-2026-46443 — Flowise is a drag & drop user interface to build a customized large language model flow (6.5 MEDIUM)
CVE-2026-46442 — Flowise is a drag & drop user interface to build a customized large language model flow (9.9 CRITICAL)
CVE-2026-46441 — Flowise is a drag & drop user interface to build a customized large language model flow (9.6 CRITICAL)

Same CWE

CVE-2026-53812 — OpenClaw before 2026.5.18 contains a server-side request forgery vulnerability in browser control that allows authenticated users to bypa... (7.7 HIGH)
CVE-2026-53782 — Summarize before 0.17.0 contains a server-side request forgery vulnerability that allows attackers who control a podcast RSS feed to dire... (7.4 HIGH)
CVE-2026-47170 — Garlic-Hub manages digital signage network — devices, content, and playlists — from a single self-hosted interface (7.7 HIGH)
CVE-2026-47157 — aiograpi is an asynchronous Instagram API for Python (6.5 MEDIUM)
CVE-2026-46698 — Fediverse Embeds embeds fediverse posts on WordPress sites (5.3 MEDIUM)