Versions of node-red
prior to 0.20.8are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize the name
field in new Flows, allowing attackers to execute arbitrary JavaScript in the victim’s browser.
Upgrade to version 0.18.6 or later.