MEDIUM SeverityCVSS 4.05.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

CVE-2026-43995

Last updated May 11, 2026 · Published May 11, 2026

Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, multiple tool implementations directly import and invoke raw HTTP clients (node-fetch, axios) instead of using the secured wrapper. These tools include (1) OpenAPIToolkit/OpenAPIToolkit.ts, (2) WebScraperTool/WebScraperTool.ts, (3) MCP/core.ts, and (4) Arxiv/core.ts. This vulnerability is fixed in 3.1.0.

Affected products

1 listed

FlowiseAI:Flowise

Mappings

CWE

CWE-918

CAPEC

None listed.

Research

Server-Side Request Forgery (SSRF)Explains how untrusted URLs can make servers reach internal or cloud metadata endpoints. Covers validation,…

Guides

Next.js SSRF ProtectionCommon SSRF paths in Next.js and how to block them.

Training

SSRF and Request ForgeryWhen your server makes requests on behalf of an attacker.

CVE-2026-43995

Description

Affected products

Mappings

Related