CVE-2026-42157: XSS in Flowsint OSINT Graph Tool
Platform
javascript
Component
flowsint
Fixed in
1.2.3
CVE-2026-42157 describes a cross-site scripting (XSS) vulnerability discovered in Flowsint, an open-source OSINT graph exploration tool. This flaw allows a remote attacker to inject arbitrary HTML into a map node label, which is then rendered when the map tab is selected and a node marker is chosen. Flowsint versions 1.0.0 through 1.2.2 are affected, and the vulnerability has been patched in version 1.2.3.
Impact and Attack Scenarios
Successful exploitation of CVE-2026-42157 could allow an attacker to execute arbitrary JavaScript code within the context of a user's Flowsint session. This could lead to the theft of sensitive information, such as API keys, credentials, or data stored within the Flowsint application. An attacker could also potentially redirect users to malicious websites or deface the Flowsint interface. The impact is amplified if Flowsint is used to analyze sensitive data or if it is integrated with other security tools, as the attacker could gain access to a wider range of systems and information.
Exploitation Context
CVE-2026-42157 was published on 2026-05-12. There is no indication of active exploitation campaigns targeting this vulnerability at the time of writing. The vulnerability is not currently listed on KEV or EPSS, suggesting a low probability of exploitation. Public proof-of-concept (POC) code is not widely available, but the vulnerability's nature makes it relatively straightforward to exploit.
Affected Software
Weakness Classification (CWE)
Timeline
- Published
Mitigation and Workarounds
The primary mitigation for CVE-2026-42157 is to upgrade Flowsint to version 1.2.3 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the map node label field to prevent the injection of malicious HTML. While not a complete solution, this can reduce the attack surface. Additionally, monitor Flowsint logs for suspicious activity, such as unusual HTML content in map node labels. After upgrading, confirm the fix by creating a map node with a simple HTML tag (e.g., <script>alert('test')</script>) and verifying that the alert does not execute when the map tab is selected.
How to fix
Actualice Flowsint a la versión 1.2.3 o posterior para mitigar el riesgo de XSS. Esta versión corrige la vulnerabilidad al sanitizar correctamente las entradas de los usuarios en los marcadores del mapa, evitando la ejecución de código malicioso.
Frequently asked questions
What is CVE-2026-42157 — XSS in Flowsint?
CVE-2026-42157 is a cross-site scripting (XSS) vulnerability affecting Flowsint versions 1.0.0 through 1.2.2. An attacker can inject malicious HTML into a map node label, potentially leading to code execution.
Am I affected by CVE-2026-42157 in Flowsint?
You are affected if you are using Flowsint versions 1.0.0 through 1.2.2. Upgrade to version 1.2.3 to mitigate the vulnerability.
How do I fix CVE-2026-42157 in Flowsint?
Upgrade Flowsint to version 1.2.3 or later. As a temporary workaround, implement input validation and sanitization on the map node label field.
Is CVE-2026-42157 being actively exploited?
There is currently no evidence of active exploitation campaigns targeting CVE-2026-42157.
Where can I find the official Flowsint advisory for CVE-2026-42157?
Refer to the Flowsint project's official repository or website for the latest advisory and release notes regarding CVE-2026-42157.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Try it now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...