CVE-2026-42157 Overview
CVE-2026-42157 is a stored Cross-Site Scripting (XSS) vulnerability in Flowsint, an open-source Open Source Intelligence (OSINT) graph exploration tool used for cybersecurity investigation, transparency, and verification. Versions prior to 1.2.3 allow a remote attacker to create a map node with a malicious label containing arbitrary HTML. When a user selects the map tab and clicks the map node marker, the application renders the injected HTML in the browser context. The flaw is tracked under CWE-79 and is fixed in version 1.2.3.
Critical Impact
Authenticated attackers can persist arbitrary HTML and JavaScript in map node labels, which executes in the browser of any analyst viewing the affected map node.
Affected Products
- Flowsint OSINT graph exploration tool
- All versions prior to 1.2.3
- Web-based map visualization component rendering node labels
Discovery Timeline
- 2026-05-12 - CVE-2026-42157 published to the National Vulnerability Database (NVD)
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42157
Vulnerability Analysis
The vulnerability is a stored XSS issue in the map visualization component of Flowsint. The application accepts user-supplied map node labels and persists them without sanitizing or encoding embedded HTML markup. When an analyst opens the map tab and selects a node marker, the client renders the stored label as HTML rather than as plain text. Any script tags, event handlers, or other active content embedded in the label execute under the origin of the Flowsint application.
Because Flowsint stores investigative data shared among analysts, an attacker with the ability to add or modify a node can pivot the tool itself into a delivery channel for browser-based attacks against other investigators.
Root Cause
The root cause is improper neutralization of input during web page generation [CWE-79]. The map rendering logic treats node label fields as trusted HTML rather than untrusted text. No output encoding or content sanitization is applied before injecting the label into the Document Object Model (DOM) when the marker is selected.
Attack Vector
Exploitation requires network access to the Flowsint instance and low-privilege authenticated access sufficient to create or edit a map node. The attacker crafts a node whose label contains an HTML or JavaScript payload. The payload triggers only when a victim navigates to the map tab and interacts with the malicious marker, which is reflected in the user interaction requirement of the CVSS vector. Successful exploitation can steal session tokens, perform actions as the victim, or redirect investigators to attacker-controlled infrastructure.
No public proof-of-concept exploit code has been published. Refer to the GitHub Security Advisory GHSA-gj93-2vcq-729w for vendor technical details.
Detection Methods for CVE-2026-42157
Indicators of Compromise
- Map node label fields containing <script>, <img>, <svg>, or on*= event handler attributes.
- Unexpected outbound browser requests from analyst workstations after viewing a Flowsint map.
- Session token reuse from IP addresses that do not match the legitimate analyst.
Detection Strategies
- Inspect the Flowsint backing datastore for node label values containing HTML tags or JavaScript schema URIs.
- Review application access logs for node creation or update requests by accounts that should not be authoring investigation data.
- Run content security policy (CSP) reports, if enabled, to surface script execution from unexpected inline sources.
Monitoring Recommendations
- Alert on anomalous DOM-modification patterns in browser endpoint telemetry when users access the Flowsint map view.
- Track authentication events from analyst accounts immediately following map view sessions to detect token replay.
- Monitor egress traffic from analyst workstations to domains not associated with sanctioned OSINT sources.
How to Mitigate CVE-2026-42157
Immediate Actions Required
- Upgrade Flowsint to version 1.2.3 or later on all instances.
- Audit existing map nodes for labels containing HTML markup or scripting syntax and remove or sanitize them.
- Rotate session credentials for analyst accounts that may have viewed untrusted maps prior to patching.
Patch Information
The maintainers fixed the issue in Flowsint version 1.2.3. The patch and advisory details are published in the GitHub Security Advisory GHSA-gj93-2vcq-729w. Operators should pull the fixed release from the upstream repository and redeploy.
Workarounds
- Restrict map node creation and editing privileges to a minimum set of trusted analyst accounts until the upgrade is applied.
- Deploy a strict Content Security Policy that disallows inline scripts and untrusted script sources for the Flowsint origin.
- Instruct analysts to avoid opening the map tab on shared or untrusted investigations until the instance is upgraded to 1.2.3.
# Upgrade Flowsint to the patched release
git fetch --tags
git checkout v1.2.3
# Rebuild and redeploy according to your deployment method
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
