Main Vulnerability Database Vulnerabilities #VU129620

Cross-site scripting in Flowise - CVE-2025-50538

Published: May 4, 2026

Vulnerability identifier: #VU129620

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

CVE-ID: CVE-2025-50538

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: FlowiseAI

Affected software:
Flowise

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary JavaScript in an administrator's browser and disclose sensitive information.

The vulnerability exists due to cross-site scripting in the "View Messages" functionality of the admin interface when rendering stored user messages. A remote attacker can send a specially crafted message payload to execute arbitrary JavaScript in an administrator's browser and disclose sensitive information.

User interaction is required when an administrator clicks the "View Messages" button in the workflow UI. Sensitive data stored in localStorage may be exposed.

How to mitigate CVE-2025-50538

Install security update from vendor's website.

Sources

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-964p-j4gg-mhwc

Cross-site scripting in Flowise - CVE-2025-50538

Detailed vulnerability description

How to mitigate CVE-2025-50538

Sources

Please verify you're human