GHSA-jv86-v5fr-xvg6MediumCVSS 6.1

Flowise before 3.0.8 contains a cross-site scripting (XSS) vulnerability caused by insufficient...

Published
June 20, 2026
Last Modified
June 20, 2026

🔗 CVE IDs covered (1)

📋 Description

Flowise before 3.0.8 contains a cross-site scripting (XSS) vulnerability caused by insufficient input filtering in chat messages and custom agent functions. An attacker can inject malicious JavaScript by sending an iframe payload (e.g., ) in a chat box, or by having a custom agent function return an XSS payload from an external website. The injected script executes in the victim's browser, enabling theft of cookies and session data.

🔗 References (4)