GHSA-v7qw-hx66-4w9x: netbox-data-flows has stored XSS in ObjectAlias names rendered inside DataFlow tables

May 7, 2026

An authenticated user who can create or edit ObjectAlias objects can store arbitrary HTML/JavaScript in an alias name. That payload is later rendered unescaped in DataFlow table views, causing a stored XSS when another user views the affected page.

References

github.com/Alef-Burzmali/netbox-data-flows
github.com/Alef-Burzmali/netbox-data-flows/security/advisories/GHSA-v7qw-hx66-4w9x
github.com/advisories/GHSA-v7qw-hx66-4w9x

Code Behaviors & Features

Detect and mitigate GHSA-v7qw-hx66-4w9x with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →