CVE-2026-32859

MEDIUM

ByteDance DeerFlow Stored XSS via Inline Artifact Rendering

Title source: cna

Description

ByteDance Deer-Flow versions prior to commit 5dbb362 contain a stored cross-site scripting vulnerability in the artifacts API that allows attackers to execute arbitrary scripts by uploading malicious HTML or script content as artifacts. Attackers can store malicious content that executes in the browser context when users view artifacts, leading to session compromise, credential theft, and arbitrary script execution.

References (3)

[Issue Tracking] https://github.com/bytedance/deer-flow/pull/1389

[Patch] https://github.com/bytedance/deer-flow/commit/5dbb3623b2f0e490c8bb3cd81b1e3b1b12eae1a6

View Patch ZIP pw:eip

[Third Party Advisory] https://www.vulncheck.com/advisories/bytedance-deerflow-stored-xss-via-inline-artifact-rendering

Scores

CVSS v3 5.4

EPSS 0.0003

EPSS Percentile 10.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

Bytedance Inc./DeerFlow < 5dbb3623b2f0e490c8bb3cd81b1e3b1b12eae1a6

Published Mar 27, 2026

Tracked Since Mar 29, 2026