Flow
Monthly
Vaadin Flow's Maven and Gradle build plugins expose all process-level environment variables - including CI-injected secrets and credentials - in plaintext build logs whenever the frontend build process exits with a non-zero status code. Affected are com.vaadin:flow-maven-plugin, flow-gradle-plugin, and flow-plugin-base across Vaadin 23.0.0-23.6.9, 24.0.0-24.10.3, and 25.0.0-25.1.4. No public exploit code exists and this is not listed in CISA KEV; however, any actor with read access to CI build logs from a failed frontend build can extract plaintext registry credentials, deploy tokens, or signing keys, enabling downstream supply chain compromise consistent with the CVSS SC:H/SI:H subsequent-system impact ratings.
Authorization bypass in Windmill 1.56.0-1.614.0 enables Operator role users to escalate privileges to remote code execution. Operators can bypass documented role restrictions via unprotected backend API endpoints to create/modify scripts, flows, and apps, then execute arbitrary code through the jobs API. Public exploit code exists (GitHub: Chocapikk/Windfall). EPSS data unavailable, but the low attack complexity (AC:L), network access vector (AV:N), and availability of weaponized POC indicate elevated real-world risk for self-hosted Windmill deployments with Operator-level users.
Improper verification of intent by broadcast receiver in Samsung Flow prior to version 4.9.17.6 allows local attackers to modify Samsung Flow configuration. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Improper input validation in Samsung Flow prior to version 4.9.17.6 allows local attackers to access data within Samsung Flow. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
Vaadin Flow's Maven and Gradle build plugins expose all process-level environment variables - including CI-injected secrets and credentials - in plaintext build logs whenever the frontend build process exits with a non-zero status code. Affected are com.vaadin:flow-maven-plugin, flow-gradle-plugin, and flow-plugin-base across Vaadin 23.0.0-23.6.9, 24.0.0-24.10.3, and 25.0.0-25.1.4. No public exploit code exists and this is not listed in CISA KEV; however, any actor with read access to CI build logs from a failed frontend build can extract plaintext registry credentials, deploy tokens, or signing keys, enabling downstream supply chain compromise consistent with the CVSS SC:H/SI:H subsequent-system impact ratings.
Authorization bypass in Windmill 1.56.0-1.614.0 enables Operator role users to escalate privileges to remote code execution. Operators can bypass documented role restrictions via unprotected backend API endpoints to create/modify scripts, flows, and apps, then execute arbitrary code through the jobs API. Public exploit code exists (GitHub: Chocapikk/Windfall). EPSS data unavailable, but the low attack complexity (AC:L), network access vector (AV:N), and availability of weaponized POC indicate elevated real-world risk for self-hosted Windmill deployments with Operator-level users.
Improper verification of intent by broadcast receiver in Samsung Flow prior to version 4.9.17.6 allows local attackers to modify Samsung Flow configuration. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Improper input validation in Samsung Flow prior to version 4.9.17.6 allows local attackers to access data within Samsung Flow. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.