Skip to main content

Flowise CVE-2025-71331

| EUVDEUVD-2025-210289 MEDIUM
Basic XSS (CWE-80)
2026-06-20 VulnCheck GHSA-jv86-v5fr-xvg6
5.1
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.1 MEDIUM

PR:N because chat submission requires no account; UI:R because a human victim must view the chat; S:C because injected script executes in the victim's distinct browser security context.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 22, 2026 - 06:16 vuln.today
Analysis Generated
Jun 22, 2026 - 06:16 vuln.today
Patch available
Jun 20, 2026 - 17:16 EUVD

DescriptionCVE.org

Flowise before 3.0.8 contains a cross-site scripting (XSS) vulnerability caused by insufficient input filtering in chat messages and custom agent functions. An attacker can inject malicious JavaScript by sending an iframe payload (e.g., <iframe src="javascript:alert(document.cookie)">) in a chat box, or by having a custom agent function return an XSS payload from an external website. The injected script executes in the victim's browser, enabling theft of cookies and session data.

AnalysisAI

Cross-site scripting in Flowise before 3.0.8 allows unauthenticated network attackers to inject malicious JavaScript into the chat interface via iframe javascript: URI payloads, or indirectly via custom agent functions that fetch and render unsanitized external HTTP responses. When a victim browses the affected chat or agent output in their browser, the injected script executes in their session, enabling cookie theft and session hijacking. A working proof-of-concept payload is publicly documented in GitHub Security Advisory GHSA-4fr9-3x69-36wv; no active exploitation is confirmed in CISA KEV at time of analysis.

Technical ContextAI

Flowise is an open-source, Node.js/npm-based visual AI workflow builder distributed under cpe:2.3:a:flowise:flowise:*:*:*:*:*:*:*:*. The root cause is CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page): the application fails to sanitize HTML and JavaScript before rendering it in the browser, allowing javascript: URI schemes and arbitrary HTML tags to execute as code. Two distinct injection surfaces exist: the chat interface directly renders unsanitized user-submitted messages, and the Agentflow custom function pipeline fetches external URLs via node-fetch and returns their raw text content to the renderer without sanitization - creating a second-order XSS path where attacker-controlled external web servers can deliver payloads through trusted agent execution.

RemediationAI

Upgrade Flowise to version 3.0.8 or later, the vendor-released patch confirmed by GHSA-4fr9-3x69-36wv and corroborated by EUVD and VulnCheck. Install via npm with 'npm install flowise@3.0.8' or equivalent. If immediate patching is blocked, restrict access to the Flowise chat interface and Agentflow creation capabilities to authenticated, trusted users only - this reduces but does not eliminate the attack surface, as authenticated users could still inject payloads targeting other users. As an additional defense-in-depth measure, deploy a Content Security Policy (CSP) header that sets 'script-src' to disallow inline scripts and blocks javascript: URI schemes; this would neutralize the specific iframe javascript: PoC payload but is not a substitute for patching and may break legitimate Flowise functionality requiring testing. The vendor advisory is at https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-4fr9-3x69-36wv.

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2025-8943 CRITICAL POC
9.8 Aug 14

Flowise versions before 3.0.1 allow unauthenticated access to the Custom MCPs feature, which is designed to execute OS c

CVE-2025-26319 CRITICAL POC
9.8 Mar 04

FlowiseAI Flowise version 2.2.6 contains an arbitrary file upload vulnerability in the /api/v1/attachments endpoint. Una

CVE-2025-58434 CRITICAL POC
9.8 Sep 12

Flowise is a drag & drop user interface to build a customized large language model flow. Rated critical severity (CVSS 9

CVE-2026-30821 CRITICAL POC
9.8 Mar 07

Unrestricted file upload in Flowise LLM workflow builder before 3.0.13 via /api/v1/attachments endpoint allows unauthent

CVE-2026-30824 CRITICAL POC
9.8 Mar 07

Missing authentication on NVD data endpoint in Flowise before 3.0.13 allows unauthenticated access to internal vulnerabi

CVE-2026-56274 HIGH POC
8.7 Jun 23

Remote code execution in Flowise before 3.1.2 allows any authenticated user (or API caller with chatflow view/update per

CVE-2026-30820 HIGH POC
8.8 Mar 07

Privilege escalation in Flowise versions prior to 3.0.13 allows authenticated users to bypass API authorization by spoof

CVE-2026-30823 HIGH POC
8.8 Mar 07

Flowise versions up to 3.0.13 is affected by authorization bypass through user-controlled key (CVSS 8.8).

CVE-2025-34267 HIGH POC
8.4 Oct 14

Authenticated remote code execution in FlowiseAI Flowise (v3.0.1 up to but not including 3.0.8, and later versions when

CVE-2024-8181 HIGH POC
8.1 Aug 27

An Authentication Bypass vulnerability exists in Flowise version 1.8.2. Rated high severity (CVSS 8.1), this vulnerabili

CVE-2026-30822 HIGH POC
7.7 Mar 07

Flowise versions up to 3.0.13 is affected by improperly controlled modification of dynamically-determined object attribu

Share

CVE-2025-71331 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy