CVE-2026-42157 reconurge CVE debrief

Who should care

Organizations and analysts using Flowsint prior to 1.2.3, especially deployments where map nodes or labels can be created from untrusted or semi-trusted data. Security teams should pay particular attention if Flowsint is used in collaborative investigation workflows.

Technical summary

The vulnerability is a CWE-79 HTML injection / stored XSS condition in Flowsint’s map node label rendering path. According to the advisory, a remote attacker can supply a node label containing arbitrary HTML. When the map tab is selected and a map node marker is clicked/selected, the stored content is rendered in the UI instead of being safely escaped, allowing attacker-controlled script-bearing markup to execute in the victim’s browser. The published fix is in version 1.2.3.

Defensive priority

Medium. The issue is network-reachable and can affect browser sessions, but it requires a user to interact with the affected map view and depends on malicious content being present in the dataset.

Recommended defensive actions

• Upgrade Flowsint to version 1.2.3 or later.
• Review existing map nodes and labels for untrusted or unexpected HTML content.
• Ensure labels are rendered as text or safely escaped rather than interpreted as HTML.
• Restrict who can create or modify nodes if collaborative data entry is enabled.
• Inspect affected deployments for any signs that malicious labels may already have been stored.

Evidence notes

The CVE description states that prior to 1.2.3, a remote attacker can create a map node with a malicious label containing arbitrary HTML, and that selecting the map tab and node marker renders the HTML, potentially causing stored XSS. The source metadata lists CWE-79 and points to the GitHub Security Advisory GHSA-gj93-2vcq-729w. NVD records the vulnerability as CVSS 4.0 vector AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N and currently shows vulnStatus as Deferred. The CVE was published on 2026-05-12 and modified on 2026-05-18.

Official resources