SB2026050497 - Multiple vulnerabilities in Flowise



SB2026050497 - Multiple vulnerabilities in Flowise

Published: May 4, 2026

Security Bulletin ID SB2026050497
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 vulnerabilities.


1) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CVE-ID: N/A)

CWE-ID: CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary script code in a victim's browser.

The vulnerability exists due to improper neutralization of script-related html tags in a web page in chat message and agentflow content rendering when rendering untrusted content. A remote attacker can inject a malicious script payload to execute arbitrary script code in a victim's browser.

User interaction is required to view a crafted chat message or agentflow content.


2) Cross-site scripting (CVE-ID: CVE-2025-50538)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary JavaScript in an administrator's browser and disclose sensitive information.

The vulnerability exists due to cross-site scripting in the "View Messages" functionality of the admin interface when rendering stored user messages. A remote attacker can send a specially crafted message payload to execute arbitrary JavaScript in an administrator's browser and disclose sensitive information.

User interaction is required when an administrator clicks the "View Messages" button in the workflow UI. Sensitive data stored in localStorage may be exposed.


Remediation

Install update from vendor's website.