Flowise - Cross-Site Scripting in Chat Messages and Agent Workflows
Description
Flowise before 3.0.8 contains a cross-site scripting (XSS) vulnerability caused by insufficient input filtering in chat messages and custom agent functions. An attacker can inject malicious JavaScript by sending an iframe payload (e.g., ) in a chat box, or by having a custom agent function return an XSS payload from an external website. The injected script executes in the victim's browser, enabling theft of cookies and session data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
Root cause
"Insufficient input filtering in chat messages and custom agent functions allows injection of arbitrary HTML/JavaScript."
Attack vector
An attacker can trigger the XSS by sending a chat message containing an `<iframe src="javascript:alert(document.cookie);">` payload, which executes when a victim views the message. Alternatively, an attacker can create a custom agent function that fetches content from an external website; if that website returns a malicious JavaScript payload, the script executes in the victim's browser, enabling theft of cookies and session data [ref_id=1].
Affected code
The advisory identifies insufficient input filtering in chat messages and custom agent functions as the vulnerable code paths. The vulnerability affects Flowise before version 3.0.8, specifically the chat message handling and the custom function execution within Agentflows [ref_id=1].
What the fix does
The advisory does not include a patch diff, but states that the fix is included in Flowise version 3.0.8. The remediation involves implementing proper input filtering and output encoding for chat messages and custom agent function return values to prevent injection of arbitrary HTML and JavaScript [ref_id=1].
Preconditions
- authThe victim must be a user of the Flowise platform who views chat messages or uses Agentflows that include custom functions
- inputThe attacker must be able to send chat messages or create/modify custom agent functions within an Agentflow
Generated on Jun 21, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/FlowiseAI/Flowise/security/advisories/GHSA-4fr9-3x69-36wvmitrevendor-advisory
- www.vulncheck.com/advisories/flowise-cross-site-scripting-in-chat-messages-and-agent-workflowsmitrethird-party-advisory
News mentions
0No linked articles in our index yet.