Vulnerabilities
Vulnerable Software
Flowiseai:  >> Flowise  >> 3.1.2  Security Vulnerabilities
Flowise before 3.1.3 validates Custom MCP stdio environment variables against a denylist using a case-sensitive comparison, so on Windows, where environment names are case-insensitive, supplying 'node_options' bypasses the NODE_OPTIONS denylist entry. An authenticated user who can configure a Custom MCP node can thereby inject NODE_OPTIONS --require and execute arbitrary code in the Flowise server context.
CVSS Score
2.3
EPSS Score
0.008
Published
2026-06-28
Flowise contains a path traversal vulnerability in the /api/v1/document-store/loader/process endpoint that allows unauthenticated attackers to write arbitrary files to the filesystem. Attackers can exploit unsanitized fileName parameters with ../ sequences to overwrite critical files like package.json and achieve remote code execution when the application restarts.
CVSS Score
10.0
EPSS Score
0.006
Published
2026-06-25


Contact Us

Shodan ® - All rights reserved