GHSA-w6v6-49gh-mc9w: Flowise: Path Traversal in Vector Store basePath

April 16, 2026

The Faiss and SimpleStore (LlamaIndex) vector store implementations accept a basePath parameter from user-controlled input and pass it directly to filesystem write operations without any sanitization. An authenticated attacker can exploit this to write vector store data to arbitrary locations on the server filesystem.

References

github.com/FlowiseAI/Flowise
github.com/FlowiseAI/Flowise/security/advisories/GHSA-w6v6-49gh-mc9w
github.com/advisories/GHSA-w6v6-49gh-mc9w

Code Behaviors & Features

Detect and mitigate GHSA-w6v6-49gh-mc9w with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →