CVE-2026-32311CRITICAL 9.8EPSS p39.2%

CVE-2026-32311CVE-2026-32311

Description

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Flowsint allows a user to create investigations, which are used to manage sketches and analyses. Sketches have controllable graphs, which are comprised of nodes and relationships. The sketches contain information on an OSINT target (usernames, websites, etc) within these nodes and relationships. The nodes can have automated processes execute on them called 'transformers'. A remote attacker can create a sketch, then trigger the 'org_to_asn' transform on an organization node to execute arbitrary OS commands as root on the host machine via shell metacharacters and a docker container escape. Commit b52cbbb904c8013b74308d58af88bc7dbb1b055c appears to remove the code that causes this issue.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.51% probability of exploitation · percentile 39.2% · 2026-06-19T12:03:05Z
Published2026-04-20
Last modified2026-05-22

Underlying weaknesses· 1

CWE-78

References

  1. https://github.com/reconurge/flowsint/commit/b52cbbb904c8013b74308d58af88bc7dbb1b055c
  2. https://github.com/reconurge/flowsint/security/advisories/GHSA-9g44-8xv2-f2m9
  3. https://github.com/reconurge/flowsint/security/advisories/GHSA-9g44-8xv2-f2m9

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection')cwe-780%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-33587
CVE
CVE-2026-9813
CVE
CVE-2026-33277
CVE
CVE-2026-25632
CVE
CVE-2026-42234
CVE
CVE-2026-34430
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.