Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable low-complexity SQLi needing only a low-privileged account (PR:L, AC:L, AV:N); High C/I from confirmed data read and modification, A:H retained to match vendor availability rating.
Primary rating from Vendor (ProgressSoftware).
CVSS VectorVendor: ProgressSoftware
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
In Progress Flowmon ADS versions prior to 12.5.6 and 13.0.5, a vulnerability exists whereby an adversary who is authenticated as a low-privileged user in the Anomaly Detection System (ADS) may send specially crafted requests that could result in unauthorized access to application data and its modification.
AnalysisAI
SQL injection in Progress Flowmon ADS (Anomaly Detection System) before versions 12.5.6 and 13.0.5 allows a low-privileged authenticated user to read and modify application data by sending specially crafted requests. The CVSS 4.0 base score of 8.7 (High) reflects high confidentiality and integrity impact plus availability impact over the network with only low privileges required. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires a valid authenticated session as a low-privileged user of the Flowmon ADS application (CVSS PR:L, corroborated by the description's 'authenticated as a low-privileged user'); fully unauthenticated exploitation is not indicated. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H) indicates a network-reachable, low-complexity attack that needs no user interaction but does require low-privileged authentication (PR:L) - so this is a post-authentication issue, not a fully unauthenticated internet-wide threat, which meaningfully lowers real-world risk versus a PR:N flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds or obtains any low-privileged Flowmon ADS account (for example an operator or read-only analyst) logs into the application and submits a crafted request containing SQL injection payloads to a vulnerable endpoint. Because the input is unsafely incorporated into database queries, the attacker reads sensitive application data belonging to other users or roles and modifies records they should not control, potentially leveraging the tagged authentication-bypass behavior to escalate access. … |
| Remediation | Vendor-released patch: upgrade to Flowmon ADS 12.5.6 (for 12.x deployments) or 13.0.5 (for 13.x deployments) or later, as directed in the Progress advisory at https://community.progress.com/s/article/Flowmon-CVE-2026-9272. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Audit all Flowmon ADS deployments and identify versions before 12.5.6 and 13.0.5. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-89 – SQL Injection
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41374
GHSA-99jj-h9fr-3fxx