HIGHVulnerability
Verified
Global
NVD HIGH: CVE-2025-71332 — Flowise through 2.2.7 contains a SQL injection vulnerability in the importChatfl...
·Source: NIST NVD
Updated:
Executive Summary
Flowise through 2.2.7 contains a SQL injection vulnerability in the importChatflows API. Due to insufficient validation of the chatflow.id value, an authenticated user can supply a crafted JSON import file whose id field is concatenated unsanitized into a SQL IN clause, allowing arbitrary SQL to be executed, including blind and error-based extraction of data from the credential table.
Analysis
Flowise through 2.2.7 contains a SQL injection vulnerability in the importChatflows API. Due to insufficient validation of the chatflow.id value, an authenticated user can supply a crafted JSON import file whose id field is concatenated unsanitized into a SQL IN clause, allowing arbitrary SQL to be executed, including blind and error-based extraction of data from the credential table. CVSS Score: 6.5. Published: 2026-06-24T13:16:30.263.