Description
ByteDance DeerFlow versions prior to commit 5dbb362 contain a stored cross-site scripting vulnerability in the artifacts API that allows attackers to execute arbitrary scripts by uploading malicious HTML or script content as artifacts. Attackers can store malicious content that executes in the browser context when users view artifacts, leading to session compromise, credential theft, and arbitrary script execution.
Published: 2026-03-27
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

According to the updated description, this stored cross‑site scripting flaw resides in Deer‑Flow's artifacts API, allowing an attacker to upload malicious HTML or script content that is rendered in the browser when other users view the artifacts. The injected code can execute in the victim’s browser context, potentially compromising their session, stealing credentials, or enabling arbitrary JavaScript execution.

Affected Systems

Bytedance Inc. Deer‑Flow instances running any version prior to the commit identified as 5dbb362 are affected. No further version granularity is supplied, so all releases before that patch are considered vulnerable.

Risk and Exploitability

The CVSS base score of 5.1 indicates moderate severity. The EPSS score of approximately 0.035% reflects a very low exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through the artifact upload API; an attacker can submit malicious content that is later rendered to end users in the browser. Because the attack requires only an upload privilege and the content is stored and rendered without adequate sanitization, exploitation is feasible even without privileged access.

Generated by OpenCVE AI on May 12, 2026 at 02:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Deer‑Flow installation to commit 5dbb362 or later, which patches the artifact rendering flaw
  • If updating immediately is not feasible, disable the artifact upload functionality or restrict it to trusted users
  • Apply input validation or content filtering to strip or escape script tags from uploaded artifacts
  • Deploy a Web Application Firewall or similar filtering layer to block suspicious HTML submissions
  • Monitor logs for anomalous artifact uploads or rendered content that may indicate exploitation attempts

Generated by OpenCVE AI on May 12, 2026 at 02:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 01:15:00 +0000

Type Values Removed Values Added
Description ByteDance Deer-Flow versions prior to commit 5dbb362 contain a stored cross-site scripting vulnerability in the artifacts API that allows attackers to execute arbitrary scripts by uploading malicious HTML or script content as artifacts. Attackers can store malicious content that executes in the browser context when users view artifacts, leading to session compromise, credential theft, and arbitrary script execution. ByteDance DeerFlow versions prior to commit 5dbb362 contain a stored cross-site scripting vulnerability in the artifacts API that allows attackers to execute arbitrary scripts by uploading malicious HTML or script content as artifacts. Attackers can store malicious content that executes in the browser context when users view artifacts, leading to session compromise, credential theft, and arbitrary script execution.

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Bytedance Inc.
Bytedance Inc. deerflow
Vendors & Products Bytedance Inc.
Bytedance Inc. deerflow

Sat, 28 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Fri, 27 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
Description ByteDance Deer-Flow versions prior to commit 5dbb362 contain a stored cross-site scripting vulnerability in the artifacts API that allows attackers to execute arbitrary scripts by uploading malicious HTML or script content as artifacts. Attackers can store malicious content that executes in the browser context when users view artifacts, leading to session compromise, credential theft, and arbitrary script execution.
Title ByteDance DeerFlow Stored XSS via Inline Artifact Rendering
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Bytedance Inc. Deerflow
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-12T01:02:22.862Z

Reserved: 2026-03-16T18:11:41.760Z

Link: CVE-2026-32859

cve-icon Vulnrichment

Updated: 2026-03-27T19:36:43.961Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-27T14:16:08.703

Modified: 2026-05-12T01:16:46.137

Link: CVE-2026-32859

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T03:00:06Z

Weaknesses