Langflow Stored Cross-Site Scripting Vulnerability via Malicious SVG Upload

Vulnerability

A stored cross-site scripting vulnerability has been identified in Langflow. The issue arises in the '/api/v1/files/images/{flow_id}/{file_name}' endpoint, which serves SVG files with the 'image/svg+xml' content type without proper content sanitization. This lack of sanitization allows attackers to upload malicious SVG files that execute arbitrary JavaScript when viewed by other users. Consequently, this vulnerability could be exploited to steal authentication tokens stored in cookies, including JWT access and refresh tokens.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where uploaded SVG files execute JavaScript in the context of the user viewing the file, potentially leading to the theft of authentication tokens from cookies.

Added: Mar 27, 2026, 3:22 PM

Updated: Mar 27, 2026, 3:22 PM

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

4.2

exploitability

4.6

remediation

0.0

relevance

4.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

4.2

exploitability

4.6

remediation

0.0

relevance

4.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Langflow Stored Cross-Site Scripting Vulnerability via Malicious SVG Upload

Vulnerability

Impact

Affected Products

Langflow

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating