Loading market data...
← Back to CVE feed

CVE-2025-71333

UNKNOWN View on NVD ↗

Description

Flowise through 2.2.4 contains an unauthenticated arbitrary file upload vulnerability in the /api/v1/attachments endpoint when storageType is set to local. Attackers can exploit path traversal in the chatId and chatflowId parameters to upload malicious files to arbitrary directories, potentially enabling remote code execution and server compromise.

Published: Jun 25, 2026 22:16 UTC Modified: Jun 26, 2026 16:19 UTC