CVE-2026-42157 MEDIUM

CVE-2026-42157: Flowsint: Stored XSS on map node marker in map page

Vendor Reconurge
Product flowsint
Weakness CWE-79 · XSS
Published May 12, 2026
Last update May 18, 2026

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, a remote attacker can create a map node with a malicious label that contains arbitrary HTML. When the map tab is selected and a map node marker is selected, it will render the arbitrary HTML, potentially triggering stored XSS. This vulnerability is fixed in 1.2.3.

Key dates

02Disclosure timeline

May 12, 2026 CVE published
May 18, 2026 Record updated