CVE-2025-71338

CRITICAL 10.0

Flowise - Arbitrary File Write to Remote Code Execution via document-store API

CVSS Score

10.0

EPSS Score

0.0%

EPSS Percentile

0th

Flowise contains a path traversal vulnerability in the /api/v1/document-store/loader/process endpoint that allows unauthenticated attackers to write arbitrary files to the filesystem. Attackers can exploit unsanitized fileName parameters with ../ sequences to overwrite critical files like package.json and achieve remote code execution when the application restarts.

CWE	CWE-73
Vendor	flowise
Product	flowise
Published	Jun 25, 2026

Stay Ahead of the Next One

Get instant alerts for flowise flowise

Be the first to know when new critical vulnerabilities affecting flowise flowise are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

Flowise / Flowise

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-8vvx-qvq9-5948 vulncheck.com: https://www.vulncheck.com/advisories/flowise-arbitrary-file-write-to-remote-code-execution-via-document-store-api

Credits

🔍 pyozzi-toss