Skip to main content

Flowsint CVE-2026-32311

| EUVDEUVD-2026-23946 CRITICAL
OS Command Injection (CWE-78)
2026-04-20 GitHub_M
9.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Updated
Apr 21, 2026 - 15:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 21, 2026 - 15:22 vuln.today
cvss_changed
Analysis Generated
Apr 20, 2026 - 20:33 vuln.today
CVSS changed
Apr 20, 2026 - 20:22 NVD
9.3 (CRITICAL)
EUVD ID Assigned
Apr 20, 2026 - 20:00 euvd
EUVD-2026-23946
Analysis Generated
Apr 20, 2026 - 20:00 vuln.today
CVE Published
Apr 20, 2026 - 19:56 nvd
CRITICAL 9.3

DescriptionGitHub Advisory

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Flowsint allows a user to create investigations, which are used to manage sketches and analyses. Sketches have controllable graphs, which are comprised of nodes and relationships. The sketches contain information on an OSINT target (usernames, websites, etc) within these nodes and relationships. The nodes can have automated processes execute on them called 'transformers'. A remote attacker can create a sketch, then trigger the 'org_to_asn' transform on an organization node to execute arbitrary OS commands as root on the host machine via shell metacharacters and a docker container escape. Commit b52cbbb904c8013b74308d58af88bc7dbb1b055c appears to remove the code that causes this issue.

AnalysisAI

Remote code execution with container escape in Flowsint OSINT tool allows unauthenticated attackers to execute arbitrary OS commands as root on the host machine. The vulnerability exploits shell metacharacter injection in the 'org_to_asn' transformer when processing organization nodes in OSINT sketches. With CVSS 9.3 (CVSS 4.0), network attack vector, low complexity, and no authentication required, this represents critical risk to any internet-exposed Flowsint instance. Upstream fix committed (b52cbbb904c) removes vulnerable code, but no tagged release version confirmed yet. CVSS vector indicates proof-of-concept exploit exists (E:P).

Technical ContextAI

Flowsint is an open-source OSINT (Open Source Intelligence) graph exploration tool built with Docker containerization. The vulnerability is a classic OS command injection (CWE-78) in the 'org_to_asn' transformer component, which performs automated analysis on organization nodes within investigation sketches. The flaw stems from improper sanitization of user-controlled input passed to shell commands within the Docker container. When shell metacharacters (e.g., semicolons, pipes, backticks) are embedded in organization node data, they are executed by the underlying shell. The attack achieves container escape, elevating from in-container execution to root-level host OS command execution - effectively breaking Docker's isolation boundary. This represents a critical failure in input validation combined with unsafe process spawning and inadequate container security controls.

RemediationAI

Apply upstream fix by updating Flowsint to commit b52cbbb904c8013b74308d58af88bc7dbb1b055c or later (https://github.com/reconurge/flowsint/commit/b52cbbb904c8013b74308d58af88bc7dbb1b055c). The commit removes the vulnerable code path entirely. As no tagged release version is confirmed in available data, deploy directly from the fixed commit or later main branch until a versioned release is published. If immediate patching is not feasible, implement these compensating controls with noted trade-offs: (1) Disable the 'org_to_asn' transformer functionality if not operationally required - this prevents exploitation but removes legitimate OSINT analysis capability for AS number lookups. (2) Restrict network access to Flowsint to trusted internal networks only via firewall rules - eliminates remote attack vector but may hinder legitimate remote investigation workflows. (3) Implement strict input validation and allowlisting at the application perimeter for all sketch/node data - reduces attack surface but requires custom code changes and may break existing investigations with legitimate special characters. (4) Run Flowsint with enhanced container security policies (AppArmor, seccomp, read-only root filesystem) to prevent container escape - mitigates host compromise but does not prevent in-container RCE and may cause operational issues. All workarounds are inferior to patching; plan emergency maintenance window.

More in Docker

View all
CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2019-5736 HIGH POC
8.6 Feb 11

runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac

CVE-2023-32077 HIGH POC
7.5 Aug 24

Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2023-5815 HIGH POC
8.1 Nov 22

The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post

CVE-2014-9357 CRITICAL
10.0 Dec 16

Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build

CVE-2026-34156 CRITICAL POC
9.9 Mar 30

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l

CVE-2019-15752 HIGH POC
7.8 Aug 28

Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c

CVE-2025-34221 CRITICAL POC
10.0 Sep 29

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2

CVE-2024-23054 CRITICAL POC
9.8 Feb 05

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2026-46339 CRITICAL POC
10.0 May 19

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at

Share

CVE-2026-32311 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy