CVE-2026-32859

MEDIUM 5.4

ByteDance DeerFlow Stored XSS via Inline Artifact Rendering

CVSS Score

5.4

EPSS Score

0.0%

EPSS Percentile

0th

ByteDance Deer-Flow versions prior to commit 5dbb362 contain a stored cross-site scripting vulnerability in the artifacts API that allows attackers to execute arbitrary scripts by uploading malicious HTML or script content as artifacts. Attackers can store malicious content that executes in the browser context when users view artifacts, leading to session compromise, credential theft, and arbitrary script execution.

CWE	CWE-79
Vendor	bytedance inc.
Product	deerflow
Published	Mar 27, 2026
Last Updated	Mar 27, 2026

Stay Ahead of the Next One

Get instant alerts for bytedance inc. deerflow

Be the first to know when new medium vulnerabilities affecting bytedance inc. deerflow are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

Bytedance Inc. / DeerFlow

0 < 5dbb3623b2f0e490c8bb3cd81b1e3b1b12eae1a6

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/bytedance/deer-flow/pull/1389 github.com: https://github.com/bytedance/deer-flow/commit/5dbb3623b2f0e490c8bb3cd81b1e3b1b12eae1a6 vulncheck.com: https://www.vulncheck.com/advisories/bytedance-deerflow-stored-xss-via-inline-artifact-rendering

Credits

Chia Min Jun Lennon