CVE-2026-42159

5.4 MEDIUM

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification

Published: 2026-05-14 · Last updated: 2026-05-21

Severity and scoring

CVSS: 5.4 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

Affected products

Vendor	Product
flowsint	flowsint

Description

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, Flowsint allows a user to create investigations, which are used to manage sketches and analyses. Sketches have controllable graphs, which are comprised of nodes and relationships. The sketches contain information on an OSINT target (usernames, websites, etc) within these nodes and relationships. A remote attacker can create a node with a malicious description that contains arbitrary HTML. When the node is selected, it will render the arbitrary HTML, potentially triggering stored XSS. This vulnerability is fixed in 1.2.3.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-42159
[Vendor advisory]https://github.com/reconurge/flowsint/security/advisories/GHSA-w233-5mmx-cr7x
[Vendor advisory]https://github.com/reconurge/flowsint/security/advisories/GHSA-w233-5mmx-cr7x

Related CVEs

Same vendor

CVE-2026-32311 — Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification (9.8 CRITICAL)

Same CWE

CVE-2026-12176 — A vulnerability has been found in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0 (4.3 MEDIUM)
CVE-2026-5513 — The Online Scheduling and Appointment Booking System – Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '... (7.2 HIGH)
CVE-2026-9629 — The Canvas plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag' parameter in all versions up to, and including... (6.4 MEDIUM)
CVE-2026-3297 — The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Anc... (6.4 MEDIUM)
CVE-2026-9134 — The FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'custom_attribute_key' shortcode parameter in ve... (6.4 MEDIUM)