CVE-2025-50538
published 2025-10-06CVE-2025-50538: Flowise before 3.0.5 allows XSS via an IFRAME element when an admin views the chat log.
PriorityP335medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
12.86%
95.8th percentile
Flowise before 3.0.5 allows XSS via an IFRAME element when an admin views the chat log.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| flowiseai | flowise | < 3.0.5 | 3.0.5 |
| flowiseai | flowise | >= 0 < 3.0.8 | 3.0.8 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Flowise is vulnerable to stored XSS via "View Messages" allows credential theft in FlowiseAI admin panel
osv·2025-10-03
CVE-2025-50538 [CRITICAL] Flowise is vulnerable to stored XSS via "View Messages" allows credential theft in FlowiseAI admin panel
Flowise is vulnerable to stored XSS via "View Messages" allows credential theft in FlowiseAI admin panel
### Summary
A stored Cross-Site Scripting (XSS) vulnerability in FlowiseAI allows a user to inject arbitrary JavaScript code via message input. When an administrator views messages using the "View Messages" button in the workflow UI, the malicious script executes in the context of the admin’s browser, enabling credential theft via access to `localStorage`.
---
### Details
The vulnerability stems from a lack of input sanitization when displaying stored user messages in the admin interface. A specially crafted payload using `` can include arbitrary JavaScript, which is executed when the message is rendered.
---
### PoC
1. Deploy a FlowiseAI agent and make it accessible via browser (e
GHSA
Flowise is vulnerable to stored XSS via "View Messages" allows credential theft in FlowiseAI admin panel
ghsa·2025-10-03
CVE-2025-50538 [CRITICAL] CWE-79 Flowise is vulnerable to stored XSS via "View Messages" allows credential theft in FlowiseAI admin panel
Flowise is vulnerable to stored XSS via "View Messages" allows credential theft in FlowiseAI admin panel
### Summary
A stored Cross-Site Scripting (XSS) vulnerability in FlowiseAI allows a user to inject arbitrary JavaScript code via message input. When an administrator views messages using the "View Messages" button in the workflow UI, the malicious script executes in the context of the admin’s browser, enabling credential theft via access to `localStorage`.
---
### Details
The vulnerability stems from a lack of input sanitization when displaying stored user messages in the admin interface. A specially crafted payload using `` can include arbitrary JavaScript, which is executed when the message is rendered.
---
### PoC
1. Deploy a FlowiseAI agent and make it accessible via browser (e
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-10-06
Published