HIGHVulnerability
Verified
Global

NVD HIGH: CVE-2025-71332 — Flowise through 2.2.7 contains a SQL injection vulnerability in the importChatfl...

·Source: NIST NVD

Updated:

Executive Summary

Flowise through 2.2.7 contains a SQL injection vulnerability in the importChatflows API. Due to insufficient validation of the chatflow.id value, an authenticated user can supply a crafted JSON import file whose id field is concatenated unsanitized into a SQL IN clause, allowing arbitrary SQL to be executed, including blind and error-based extraction of data from the credential table.

Analysis

Flowise through 2.2.7 contains a SQL injection vulnerability in the importChatflows API. Due to insufficient validation of the chatflow.id value, an authenticated user can supply a crafted JSON import file whose id field is concatenated unsanitized into a SQL IN clause, allowing arbitrary SQL to be executed, including blind and error-based extraction of data from the credential table. CVSS Score: 6.5. Published: 2026-06-24T13:16:30.263.

Indicators of Compromise (1)

CVE (1)
CVE-2025-71332
Source Attribution

Originally published by NIST NVD on Jun 24, 2026. Verified by: NIST.

Related Threats