What happened
CVE-2025-71331 (CVSS 6.1 Medium) was published to NVD on 2026-06-20. Flowise versions before 3.0.8 do not sufficiently filter malicious HTML/JavaScript from chat messages or custom agent function inputs, resulting in a stored cross-site scripting vulnerability. An attacker who can submit messages to the chat (authenticated or via a publicly exposed chat widget) can inject persistent JavaScript payloads affecting all users who subsequently view the conversation.
Why it matters
Stored XSS in an AI agent chat interface can be used to hijack authenticated admin sessions (enabling takeover of the entire Flowise instance), exfiltrate conversation history including sensitive prompts and responses, or pivot to the underlying host via the XSS-to-RCE chains for which Flowise has previously been targeted. It also creates a vector for prompt injection if the injected content is fed back to the LLM.
Attack vector
An attacker sends a chat message containing an iframe payload (e.g., <iframe src="javascript:alert(document.cookie)">) or other JavaScript-bearing HTML tags. Due to insufficient input filtering in chat messages and custom agent functions, the payload is stored and reflected back to other users' browsers, executing arbitrary JavaScript in the context of the Flowise application
Affected systems
Flowise < 3.0.8
Mitigation
Upgrade to Flowise 3.0.8 or later. Advisory: https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-4fr9-3x69-36wv