GHSA-wq95-wr7m-26h4: Duplicate Advisory: Flowise Stored XSS vulnerability through logs in chatbot

October 6, 2025 (updated October 8, 2025)

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-7r4h-vmj9-wg42. This link is maintained to preserve external references.

Original Description

Flowise before 3.0.5 allows XSS via a FORM element and an INPUT element when an admin views the chat log.

References

github.com/FlowiseAI/Flowise/pull/4905
github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.5
github.com/FlowiseAI/Flowise/security/advisories/GHSA-7r4h-vmj9-wg42
github.com/advisories/GHSA-wq95-wr7m-26h4
nvd.nist.gov/vuln/detail/CVE-2025-29192

Code Behaviors & Features

Detect and mitigate GHSA-wq95-wr7m-26h4 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →