Description
A vulnerability was determined in FlowiseAI Flowise up to 3.1.2. The impacted element is an unknown function of the file packages/components/nodes/documentloaders/S3/S3.ts of the component S3 Document Loader. Executing a manipulation can lead to path traversal. It is possible to launch the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way.
Severity (CVSS)
| Base score | 5.3 |
|---|---|
| Severity | Medium |
| Version | CVSS 4.0 |
| Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P |
| Provided by | CNA |
Weaknesses
- CWE-22 — Path Traversal
Affected products
| Vendor | Product | Versions |
|---|---|---|
| FlowiseAI | Flowise | 3.1.0; 3.1.1; 3.1.2 |
References
- https://vuldb.com/vuln/372611 (vdb-entry)
- https://vuldb.com/vuln/372611/cti (signature permissions-required)
- https://vuldb.com/cve/CVE-2026-12821 (third-party-advisory)
- https://vuldb.com/submit/837578 (third-party-advisory)
- https://github.com/dxz0069/softwareoverflow/blob/main/flowise_s3_loader_object_key_path_traversal_vulndb.md (related)
Generated from the official CVE List on 22 Jun 2026 14:43 UTC.