GHSA-jv86-v5fr-xvg6MediumCVSS 6.1
Flowise before 3.0.8 contains a cross-site scripting (XSS) vulnerability caused by insufficient...
🔗 CVE IDs covered (1)
📋 Description
Flowise before 3.0.8 contains a cross-site scripting (XSS) vulnerability caused by insufficient input filtering in chat messages and custom agent functions. An attacker can inject malicious JavaScript by sending an iframe payload (e.g., ) in a chat box, or by having a custom agent function return an XSS payload from an external website. The injected script executes in the victim's browser, enabling theft of cookies and session data.