SB2026050497 - Multiple vulnerabilities in Flowise
Published: May 4, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CVE-ID: N/A)
CWE-ID: CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary script code in a victim's browser.
The vulnerability exists due to improper neutralization of script-related html tags in a web page in chat message and agentflow content rendering when rendering untrusted content. A remote attacker can inject a malicious script payload to execute arbitrary script code in a victim's browser.
User interaction is required to view a crafted chat message or agentflow content.
2) Cross-site scripting (CVE-ID: CVE-2025-50538)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary JavaScript in an administrator's browser and disclose sensitive information.
The vulnerability exists due to cross-site scripting in the "View Messages" functionality of the admin interface when rendering stored user messages. A remote attacker can send a specially crafted message payload to execute arbitrary JavaScript in an administrator's browser and disclose sensitive information.
User interaction is required when an administrator clicks the "View Messages" button in the workflow UI. Sensitive data stored in localStorage may be exposed.
Remediation
Install update from vendor's website.