Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, Flowsint allows a user to create investigations, which are used to manage sketches and analyses. Sketches have controllable graphs, which are comprised of nodes and relationships. The sketches contain information on an OSINT target (usernames, websites, etc) within these nodes and relationships. A remote attacker can create a node with a malicious description that contains arbitrary HTML. When the node is selected, it will render the arbitrary HTML, potentially triggering stored XSS. This vulnerability is fixed in 1.2.3.
AnalysisAI
Stored cross-site scripting (XSS) in Flowsint prior to version 1.2.3 allows remote attackers to inject arbitrary HTML into node descriptions within sketches, which is executed when the node is selected by a user. This requires user interaction to view the malicious node but can compromise investigation integrity and potentially lead to credential theft or malware delivery within the OSINT analysis workflow.
Technical ContextAI
Flowsint is an open-source OSINT graph exploration tool that manages investigations containing sketches (graphical representations of OSINT data). Sketches comprise nodes and relationships representing investigation targets (usernames, websites, etc). The vulnerability stems from insufficient HTML sanitization (CWE-79: Improper Neutralization of Input During Web Page Generation) of node descriptions. When a user selects a node, the application renders the description without proper escaping, allowing injected HTML and JavaScript to execute in the user's browser context. This is a classic stored XSS vulnerability where malicious payloads persist in the investigation data structure and execute upon retrieval.
RemediationAI
Upgrade Flowsint to version 1.2.3 or later, which contains fixes for HTML sanitization in node descriptions. Update can be performed through the project repository (https://github.com/reconurge/flowsint). If immediate patching is not feasible, implement a compensating control by restricting investigation creation and modification permissions to trusted users only, reducing exposure to attacker-controlled node injection. Additionally, configure a Content Security Policy (CSP) header in the application deployment to block inline script execution, mitigating stored XSS payloads even if unsanitized HTML is rendered. Note that CSP restrictions may affect graphing functionality if the application relies on dynamic script generation for visualization.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30308