Cross-Site Scripting Vulnerability in Flowise Software by FlowiseAI
CVE-2025-71331

5.1MEDIUM

Key Information:

Vendor: Flowise
Status: Flowise
Vendor: CVE Published:; 20 June 2026

What is CVE-2025-71331?

Prior to version 3.0.8, Flowise software has a vulnerability that permits cross-site scripting due to inadequate input filtering in chat messages and custom agent functions. An attacker can exploit this flaw by sending an iframe payload within a chat box or through a custom agent function, allowing external scripts to be executed in the victim's browser. This leads to the potential theft of cookies and session information, compromising user security and privacy.

Affected Version(s)

Flowise 0 < 3.0.8

Flowise 3.0.8

References

https://github.com/FlowiseAI/Flowise/security/advisories/...

vendor-advisory

https://www.vulncheck.com/advisories/flowise-cross-site-s...

third-party-advisory

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 20, 2026
Vulnerability Reserved
Jun 19, 2026

Credit

quitbug

CVE-2025-71331 Data

JSON