Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
A vulnerability exists in Progress Flowmon versions prior to 12.5.8 and 13.0.6, whereby an administrator who clicks a malicious link provided by an attacker may inadvertently trigger unintended actions within their authenticated web session.
AnalysisAI
Progress Flowmon 12.x and 13.0.x contain a cross-site scripting (XSS) vulnerability allowing authenticated attackers to execute malicious JavaScript in administrator sessions via crafted links. Affected versions: Flowmon 12.x prior to 12.5.8 and 13.x prior to 13.0.6. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires three specific prerequisites: (1) attacker possesses valid low-privileged credentials to Progress Flowmon (PR:L in CVSS vector) or ability to deliver payload to authenticated users, (2) target administrator must actively click the malicious link while maintaining an authenticated session to the Flowmon web interface (UI:A in CVSS vector), and (3) the vulnerable Flowmon version must be network-accessible to the attacker for payload delivery (AV:N in CVSS vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world exploitation risk is moderate despite the high CVSS 8.5 score, with multiple limiting factors tempering urgency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with low-privileged Flowmon credentials crafts a malicious URL containing JavaScript payload and delivers it to a Flowmon administrator via email, instant message, or embeds it in a compromised website the administrator frequents. When the administrator clicks the link while authenticated to the Flowmon web interface, the unescaped script executes in their browser session with administrator privileges, enabling the attacker to steal session tokens, modify network monitoring configurations, exfiltrate sensitive traffic analysis data, or create persistent backdoor accounts. … |
| Remediation | Upgrade to Progress Flowmon version 12.5.8 (for 12.x deployments) or version 13.0.6 (for 13.x deployments) as documented in the vendor security advisory at https://community.progress.com/s/article/CVE-2026-2737-Progress-Flowmon. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Progress Flowmon instances and identify versions 12.x (pre-12.5.8) and 13.0.x (pre-13.0.6). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Progress Flowmon versions prior to 12.5.8 allow authenticated low-privileged users to execute arbitrary commands on the
Privilege escalation via incorrect authorization in Progress Flowmon lets an authenticated low-privileged user abuse the
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18222
GHSA-g7f7-cc3w-5g3g