CVE-2025-26319: FlowiseAI Flowise arbitrary file upload vulnerability

March 5, 2025

FlowiseAI Flowise v2.2.6 was discovered to contain an arbitrary file upload vulnerability in /api/v1/attachments.

References

github.com/FlowiseAI/Flowise
github.com/FlowiseAI/Flowise/blob/flowise-ui%402.2.6/packages/server/src/index.ts
github.com/advisories/GHSA-69jq-qr7w-j7qh
github.com/dorattias/CVE-2025-26319
nvd.nist.gov/vuln/detail/CVE-2025-26319

Code Behaviors & Features

Detect and mitigate CVE-2025-26319 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →