Stored Cross-Site Scripting Vulnerability in ByteDance DeerFlow
CVE-2026-32859

5.1MEDIUM

Key Information:

Vendor

Bytedance Inc.

Status
Deerflow
Vendor
CVE Published:
27 March 2026

What is CVE-2026-32859?

The ByteDance DeerFlow software is susceptible to a stored cross-site scripting vulnerability in its artifacts API. This flaw allows attackers to upload and store malicious HTML or script content as artifacts, which upon viewing by users trigger arbitrary code execution in their browsers. This could potentially lead to compromised user sessions and the theft of sensitive credentials. To mitigate the risk, it is essential to upgrade to the patched version as outlined in the relevant commits.

Affected Version(s)

DeerFlow 0 < 5dbb3623b2f0e490c8bb3cd81b1e3b1b12eae1a6

References

https://github.com/bytedance/deer-flow/pull/1389
issue-tracking
https://github.com/bytedance/deer-flow/commit/5dbb3623b2f...
patch
https://www.vulncheck.com/advisories/bytedance-deerflow-s...
third-party-advisory

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Chia Min Jun Lennon
.