CVE-2026-30822 | THREATINT

Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, unauthenticated users can inject arbitrary values into internal database fields when creating leads. This issue has been patched in version 3.0.13.

PUBLISHED Reserved 2026-03-05 | Published 2026-03-07 | Updated 2026-03-07 | Assigner GitHub_M

HIGH: 7.7CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

Problem types

CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes

Product status

< 3.0.13

affected

References

github.com/...lowise/security/advisories/GHSA-mq4r-h2gh-qv7x

github.com/FlowiseAI/Flowise/releases/tag/flowise@3.0.13

cve.org (CVE-2026-30822)

nvd.nist.gov (CVE-2026-30822)

Download JSON