Skip to main content

Flowmon ADS CVE-2026-9272

| EUVDEUVD-2026-41374 HIGH
SQL Injection (CWE-89)
2026-07-02 ProgressSoftware GHSA-99jj-h9fr-3fxx
8.7
CVSS 4.0 · Vendor: ProgressSoftware
Share

Severity by source

Vendor (ProgressSoftware) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Network-reachable low-complexity SQLi needing only a low-privileged account (PR:L, AC:L, AV:N); High C/I from confirmed data read and modification, A:H retained to match vendor availability rating.

3.1 AV:N/AC:L/PR:L/UI:N/S:N/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (ProgressSoftware).

CVSS VectorVendor: ProgressSoftware

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 14:45 vuln.today

DescriptionCVE.org

In Progress Flowmon ADS versions prior to 12.5.6 and 13.0.5, a vulnerability exists whereby an adversary who is authenticated as a low-privileged user in the Anomaly Detection System (ADS) may send specially crafted requests that could result in unauthorized access to application data and its modification.

AnalysisAI

SQL injection in Progress Flowmon ADS (Anomaly Detection System) before versions 12.5.6 and 13.0.5 allows a low-privileged authenticated user to read and modify application data by sending specially crafted requests. The CVSS 4.0 base score of 8.7 (High) reflects high confidentiality and integrity impact plus availability impact over the network with only low privileges required. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privileged ADS user
Delivery
Reach ADS request endpoint over network
Exploit
Send crafted SQL injection request
Execution
Manipulate backend database query
Impact
Read and modify unauthorized application data

Vulnerability AssessmentAI

Exploitation Requires a valid authenticated session as a low-privileged user of the Flowmon ADS application (CVSS PR:L, corroborated by the description's 'authenticated as a low-privileged user'); fully unauthenticated exploitation is not indicated. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H) indicates a network-reachable, low-complexity attack that needs no user interaction but does require low-privileged authentication (PR:L) - so this is a post-authentication issue, not a fully unauthenticated internet-wide threat, which meaningfully lowers real-world risk versus a PR:N flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds or obtains any low-privileged Flowmon ADS account (for example an operator or read-only analyst) logs into the application and submits a crafted request containing SQL injection payloads to a vulnerable endpoint. Because the input is unsafely incorporated into database queries, the attacker reads sensitive application data belonging to other users or roles and modifies records they should not control, potentially leveraging the tagged authentication-bypass behavior to escalate access. …
Remediation Vendor-released patch: upgrade to Flowmon ADS 12.5.6 (for 12.x deployments) or 13.0.5 (for 13.x deployments) or later, as directed in the Progress advisory at https://community.progress.com/s/article/Flowmon-CVE-2026-9272. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit all Flowmon ADS deployments and identify versions before 12.5.6 and 13.0.5. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-9272 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy