GHSA-7rgr-72hp-9wp3: Duplicate Advisory: Flowise is vulnerable to stored XSS via "View Messages" allows credential theft in FlowiseAI admin panel

October 6, 2025 (updated October 8, 2025)

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-964p-j4gg-mhwc. This link is maintained to preserve external references.

Original Description

Flowise before 3.0.5 allows XSS via an IFRAME element when an admin views the chat log.

References

github.com/FlowiseAI/Flowise/pull/4905
github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.5
github.com/FlowiseAI/Flowise/security/advisories/GHSA-964p-j4gg-mhwc
github.com/advisories/GHSA-7rgr-72hp-9wp3
nvd.nist.gov/vuln/detail/CVE-2025-50538

Code Behaviors & Features

Detect and mitigate GHSA-7rgr-72hp-9wp3 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →