CVE-2026-42156 HIGH

CVE-2026-42156: Flowsint: Cypher query injection in node type on node creation

Vendor Reconurge
Product flowsint
Weakness CWE-943
Published May 12, 2026
Last update May 13, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, a remote attacker can create a node with a malicious type that can escape an existing Cypher query and an adversary can execute an arbitrary Cypher query. This vulnerability is fixed in 1.2.3.

Key dates

02Disclosure timeline

May 12, 2026 CVE published
May 13, 2026 Record updated