CVE-2025-71337

Sažetak

Flowise before 3.0.10 (affected versions 3.0.7 and earlier) contains an unverified email change vulnerability. An authenticated user can change the account email address, used as a login identifier and password-recovery channel, via the account profile endpoint without confirming the change to the original email address or re-entering the current password. By changing the recovery email, an attacker can take over the account and abuse password reset mechanisms.

Reference

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-x39m-3393-3qp4
https://www.vulncheck.com/advisories/flowise-unverified-email-change-via-account-profile-endpoint
https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-x39m-3393-3qp4

CVSS

Base:	8.3
Impact:	5.5
Exploitability:	2.8

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	LOW

Impact

Povjerljivost	Cjelovitost	Dostupnost
HIGH	HIGH	LOW

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Zadnje važnije ažuriranje

25-06-2026 - 18:38

Objavljeno

23-06-2026 - 13:16