CVE-2026-42157: Stored XSS in Flowsint Map Nodes
Plattform
javascript
Komponente
flowsint
Behoben in
1.2.3
CVE-2026-42157 affects Flowsint, an open-source OSINT graph exploration tool. Prior to version 1.2.3, a remote attacker can inject malicious HTML into map node labels. When the map tab is selected and a map node marker is selected, this HTML will be rendered, potentially triggering a stored Cross-Site Scripting (XSS) attack. This vulnerability impacts versions 1.0.0 through 1.2.2 and has been addressed in version 1.2.3.
Auswirkungen und Angriffsszenarien
Successful exploitation of CVE-2026-42157 allows an attacker to inject arbitrary HTML and JavaScript code into Flowsint's map node labels. When a user views the map and selects a malicious node, the injected code will execute in their browser context. This can lead to various attacks, including session hijacking, credential theft, and redirection to malicious websites. The impact is particularly severe if Flowsint is used within an organization with sensitive data or access controls, as an attacker could potentially compromise user accounts and gain unauthorized access to systems.
Ausnutzungskontext
CVE-2026-42157 was published on 2026-05-12. Exploitation probability is currently unknown. Public proof-of-concept (POC) code is not yet available. The vulnerability is not listed on KEV or EPSS. Severity is pending evaluation.
Betroffene Software
Schwachstellen-Klassifikation (CWE)
Zeitleiste
- Veröffentlicht
Mitigation und Workarounds
The primary mitigation for CVE-2026-42157 is to upgrade Flowsint to version 1.2.3 or later. Until upgraded, implement strict input validation on all user-supplied data, specifically when creating or modifying map node labels. Sanitize HTML input to remove potentially malicious tags and attributes. Consider using a Content Security Policy (CSP) to restrict the execution of scripts from untrusted sources. There are no specific WAF rules or detection signatures readily available, so focus on patching and input validation. After upgrading, confirm the fix by attempting to create a map node with a malicious HTML payload and verifying that the HTML is properly sanitized.
So behebenwird übersetzt…
Actualice Flowsint a la versión 1.2.3 o posterior para mitigar el riesgo de XSS. Esta versión corrige la vulnerabilidad al sanitizar correctamente las entradas de los usuarios en los marcadores del mapa, evitando la ejecución de código malicioso.
Häufig gestellte Fragen
Was ist CVE-2026-42157 — XSS in Flowsint?
It's a stored XSS vulnerability in Flowsint's map node labels.
Bin ich von CVE-2026-42157 in Flowsint betroffen?
You are affected if you are using Flowsint versions 1.0.0 through 1.2.2.
Wie behebe ich CVE-2026-42157 in Flowsint?
Upgrade to Flowsint version 1.2.3 or later to resolve the vulnerability.
Wird CVE-2026-42157 aktiv ausgenutzt?
There are currently no reports of active exploitation, but vigilance is advised.
Wo finde ich den offiziellen Flowsint-Hinweis für CVE-2026-42157?
Refer to the official Flowsint project documentation and security advisories for further information.
Ist dein Projekt betroffen?
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Jetzt testen — kein Konto
Laden Sie ein Manifest hoch (composer.lock, package-lock.json, WordPress Plugin-Liste…) oder fügen Sie Ihre Komponentenliste ein. Sie erhalten sofort einen Schwachstellenbericht. Das Hochladen einer Datei ist nur der Anfang: Mit einem Konto erhalten Sie kontinuierliche Überwachung, Slack/email-Benachrichtigungen, Multi-Projekt- und White-Label-Berichte.
Abhängigkeitsdatei hier ablegen
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...