CVE-2026-42156

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, a remote attacker can create a node with a malicious type that can escape an existing Cypher query and an adversary can execute an arbitrary Cypher query. This vulnerability is fixed in 1.2.3.

CVSS

No CVSS.

References

Link	Resource
https://github.com/reconurge/flowsint/security/advisories/GHSA-h5m2-c2c5-968p
https://github.com/reconurge/flowsint/security/advisories/GHSA-h5m2-c2c5-968p

Configurations

No configuration.

History

13 May 2026, 16:10

Type	Values Removed	Values Added
References	~~() https://github.com/reconurge/flowsint/security/advisories/GHSA-h5m2-c2c5-968p -~~	() https://github.com/reconurge/flowsint/security/advisories/GHSA-h5m2-c2c5-968p -

12 May 2026, 23:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-12 23:16

Updated : 2026-05-13 16:10

NVD link : CVE-2026-42156

Mitre link : CVE-2026-42156

CVE.ORG link : CVE-2026-42156

JSON object : View

Products Affected

No product.

CWE

CWE-943

Improper Neutralization of Special Elements in Data Query Logic

{"id": "CVE-2026-42156", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-05-12T23:16:17.203", "references": [{"url": "https://github.com/reconurge/flowsint/security/advisories/GHSA-h5m2-c2c5-968p", "source": "security-advisories@github.com"}, {"url": "https://github.com/reconurge/flowsint/security/advisories/GHSA-h5m2-c2c5-968p", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-943"}]}], "descriptions": [{"lang": "en", "value": "Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, a remote attacker can create a node with a malicious type that can escape an existing Cypher query and an adversary can execute an arbitrary Cypher query. This vulnerability is fixed in 1.2.3."}], "lastModified": "2026-05-13T16:10:57.817", "sourceIdentifier": "security-advisories@github.com"}