VYPR
← All advisories
Medium severityNVD Advisory· Published May 14, 2026· Updated May 14, 2026

CVE-2026-42159

CVE-2026-42159

Description

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, Flowsint allows a user to create investigations, which are used to manage sketches and analyses. Sketches have controllable graphs, which are comprised of nodes and relationships. The sketches contain information on an OSINT target (usernames, websites, etc) within these nodes and relationships. A remote attacker can create a node with a malicious description that contains arbitrary HTML. When the node is selected, it will render the arbitrary HTML, potentially triggering stored XSS. This vulnerability is fixed in 1.2.3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in Flowsint node descriptions allows remote attackers to inject arbitrary HTML, potentially leading to session hijacking.

Flowsint is an open-source OSINT graph exploration tool. Prior to version 1.2.3, it allowed users to create nodes with descriptions that were rendered using dangerouslySetInnerHTML in the details panel component (details-panel.tsx). This allowed arbitrary HTML injection, leading to stored cross-site scripting (XSS) [1].

A remote attacker can create a node with a malicious description containing arbitrary HTML. When the node is selected, the HTML is rendered in the victim's browser. The advisory notes that currently investigations are limited to a single user, but the codebase suggests plans for collaboration, which would enable cross-user exploitation and session hijacking via exfiltration of authorization tokens from Local Storage [1].

An attacker could execute arbitrary JavaScript in the context of the victim's session, potentially stealing sensitive data like authorization tokens, leading to account takeover. The vulnerability is fixed in version 1.2.3 [1].

Users should upgrade to Flowsint 1.2.3 or later to mitigate this vulnerability. No workaround is mentioned in the advisory.

References
  1. Stored XSS in description of node

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.