GHSA-7r4h-vmj9-wg42: Flowise Stored XSS vulnerability through logs in chatbot

October 3, 2025

In the chat log, tags like input and form are allowed. This makes a potential vulnerability where an attacker could inject malicious HTML into the log via prompts. When an admin views the log containing the malicious HTML, the attacker could steal the admin’s credentials or sensitive information with stored Cross Site Scripting.

References

github.com/FlowiseAI/Flowise
github.com/FlowiseAI/Flowise/security/advisories/GHSA-7r4h-vmj9-wg42
github.com/advisories/GHSA-7r4h-vmj9-wg42

Code Behaviors & Features

Detect and mitigate GHSA-7r4h-vmj9-wg42 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →