Description
Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, a remote attacker can create a node with a malicious type that can escape an existing Cypher query and an adversary can execute an arbitrary Cypher query. This vulnerability is fixed in 1.2.3.
Published: 2026-05-12
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Flowsint is an open‑source OSINT graph exploration tool. Prior to version 1.2.3 a remote attacker can create a node whose type field is crafted to escape the surrounding Cypher query, allowing the attacker to execute an arbitrary Cypher statement against the backend graph database. This could lead to unauthorized reading, modification, or deletion of stored graph data, thereby affecting confidentiality, integrity, and availability of the information the tool manages.

Affected Systems

The product reconurge:flowsint before version 1.2.3 is affected; the fix is provided in release 1.2.3 and later.

Risk and Exploitability

The CVSS base score is 7.1. EPSS data is not available, so the likelihood of exploitation remains uncertain, and the vulnerability is not listed in the CISA KEV catalog. Attackers can target the node‑creation API over the network; the description does not mention that authentication or privileged access is required, so a remote attacker able to reach the instance could craft the malicious request. The likely attack vector is remote network access to the API.

Generated by OpenCVE AI on May 13, 2026 at 00:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑released update to Flowsint 1.2.3 or newer, which removes the vulnerable string handling.
  • If an immediate upgrade is not feasible, restrict external access to the node‑creation API with firewall rules or network segmentation so that only trusted hosts may submit requests.
  • Require authentication and enforce role‑based access control for the API so that only authorized users can create nodes, limiting the ability to supply malicious node types.

Generated by OpenCVE AI on May 13, 2026 at 00:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Reconurge
Reconurge flowsint
Vendors & Products Reconurge
Reconurge flowsint

Tue, 12 May 2026 23:15:00 +0000

Type Values Removed Values Added
Description Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, a remote attacker can create a node with a malicious type that can escape an existing Cypher query and an adversary can execute an arbitrary Cypher query. This vulnerability is fixed in 1.2.3.
Title Flowsint: Cypher query injection in node type on node creation
Weaknesses CWE-943
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Reconurge Flowsint
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-13T12:07:00.524Z

Reserved: 2026-04-24T17:15:21.835Z

Link: CVE-2026-42156

cve-icon Vulnrichment

Updated: 2026-05-13T12:06:42.623Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T23:16:17.203

Modified: 2026-05-13T16:10:57.817

Link: CVE-2026-42156

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T01:00:23Z

Weaknesses