CVE-2024-37146: Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a
Summary
Flowise version 1.4.3 has a reflected cross-site scripting vulnerability (XSS, a type of attack where malicious code is injected into a webpage) in its `/api/v1/credentials/id` endpoint that allows attackers to inject harmful JavaScript into user sessions, potentially stealing information or redirecting users to malicious websites. The vulnerability is especially dangerous because it can be exploited without authentication in the default configuration and can be combined with other attacks to read files from the Flowise server.
Vulnerability Details
6.1(medium)
EPSS: 0.3%
Classification
Affected Vendors
Related Issues
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
Original source: https://nvd.nist.gov/vuln/detail/CVE-2024-37146
First tracked: February 15, 2026 at 08:53 PM
Classified by LLM (prompt v3) · confidence: 85%