Description
Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, Flowsint allows a user to create investigations, which are used to manage sketches and analyses. Sketches have controllable graphs, which are comprised of nodes and relationships. The sketches contain information on an OSINT target (usernames, websites, etc) within these nodes and relationships. A remote attacker can create a node with a malicious description that contains arbitrary HTML. When the node is selected, it will render the arbitrary HTML, potentially triggering stored XSS. This vulnerability is fixed in 1.2.3.
Published: 2026-05-14
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Flowsint, an open‑source OSINT graph exploration tool, allows users to create investigations that contain sketches made of nodes and relationships. Prior to version 1.2.3 a malicious user can create a node whose description field contains arbitrary HTML. When that node is selected the embedded HTML is rendered in the browser, which can lead to execution of attacker‑supplied scripts. This is a classic Stored Cross‑Site Scripting vulnerability (CWE‑79), compromising the confidentiality and integrity of the data viewed by others who interact with the compromised node.

Affected Systems

The vulnerability affects the reconurge Flowsint project. All releases of Flowsint older than version 1.2.3 are susceptible. Users running any of those vulnerable versions are at risk when they allow untrusted users to create or edit node descriptions.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity vulnerability. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. An attacker who can supply a node with a malicious description can trigger stored XSS by having another user view that node. The risk is limited to environments where the graph is shared or accessed by others, but the potential impact is the injection of arbitrary scripts in the client browser.

Generated by OpenCVE AI on May 14, 2026 at 17:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Flowsint version 1.2.3 or later.
  • Restrict node creation and editing privileges to trusted users only, ensuring that only authorized personnel can add or modify node descriptions.
  • If an upgrade is not possible, sanitize or escape the content of node descriptions before rendering so that any embedded HTML is treated as plain text.

Generated by OpenCVE AI on May 14, 2026 at 17:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Reconurge
Reconurge flowsint
Vendors & Products Reconurge
Reconurge flowsint

Thu, 14 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, Flowsint allows a user to create investigations, which are used to manage sketches and analyses. Sketches have controllable graphs, which are comprised of nodes and relationships. The sketches contain information on an OSINT target (usernames, websites, etc) within these nodes and relationships. A remote attacker can create a node with a malicious description that contains arbitrary HTML. When the node is selected, it will render the arbitrary HTML, potentially triggering stored XSS. This vulnerability is fixed in 1.2.3.
Title Flowsint: Stored XSS in description of node
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Reconurge Flowsint
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T18:21:16.068Z

Reserved: 2026-04-24T17:15:21.836Z

Link: CVE-2026-42159

cve-icon Vulnrichment

Updated: 2026-05-14T18:21:09.032Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-14T16:16:20.993

Modified: 2026-05-14T19:16:35.603

Link: CVE-2026-42159

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T18:00:14Z

Weaknesses