CVE-2026-42159 affects Flowsint prior to 1.2.3. According to the NVD record and the linked GitHub advisory, a remote attacker can create a node with a malicious description containing arbitrary HTML. When another user selects that node, the HTML is rendered and may trigger stored cross-site scripting. The issue is rated medium severity (CVSS 5.3) and is fixed in Flowsint 1.2.3.
CVE-2026-42157 is a stored cross-site scripting issue in Flowsint, an open-source OSINT graph exploration tool. A remote attacker can create a map node with a malicious label containing arbitrary HTML. When a user opens the map tab and selects the node marker, the application renders that HTML, which can trigger stored XSS. The issue is fixed in Flowsint 1.2.3.
CVE-2026-32311 is a critical remote code execution flaw in Flowsint’s sketch/transform workflow. According to the vendor advisory and NVD record, an attacker who can create a sketch may trigger the org_to_asn transform on an organization node and cause arbitrary OS command execution as root, with a reported container-escape path to the host. The linked commit b52cbbb904c8013b74308d58af88bc7dbb1b055c remov [truncated]