Skip to main content

Flowmon

3 CVEs product

Monthly

CVE-2026-8079 HIGH This Week

Privilege escalation via incorrect authorization in Progress Flowmon lets an authenticated low-privileged user abuse the PDF generation workflow to have operations executed under another user's identity, exposing sensitive data and permitting unauthorized configuration changes. It affects all Flowmon releases before 12.5.9 (12.x branch) and before 13.0.10 (13.x branch). No public exploit identified at time of analysis, and it is not listed in CISA KEV; the vendor CVSS 4.0 score is 8.7 (High).

Authentication Bypass Information Disclosure Flowmon
NVD VulDB
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-2737 HIGH This Week

Progress Flowmon 12.x and 13.0.x contain a cross-site scripting (XSS) vulnerability allowing authenticated attackers to execute malicious JavaScript in administrator sessions via crafted links. Affected versions: Flowmon 12.x prior to 12.5.8 and 13.x prior to 13.0.6. CVSS 8.5 (High) reflects network-based delivery with low complexity requiring privileged access and user interaction. EPSS score of 0.05% (15th percentile) indicates minimal observed exploitation activity. No active exploitation confirmed (not in CISA KEV); SSVC designates exploitation status as 'none' with non-automatable attack requiring user interaction for total technical impact. Vendor Progress Software released patches addressing the XSS flaw.

XSS Flowmon
NVD
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-3692 HIGH This Week

Progress Flowmon versions prior to 12.5.8 allow authenticated low-privileged users to execute arbitrary commands on the server by crafting malicious requests during the report generation process. The vulnerability stems from improper input validation in the report generation functionality, enabling command injection attacks. While no CVSS score or public exploit code has been disclosed at time of analysis, the direct path to remote code execution via an authenticated user represents a significant risk to Flowmon deployments.

Command Injection Flowmon
NVD
CVSS 4.0
8.7
EPSS
0.0%
EPSS 0% CVSS 8.7
HIGH This Week

Privilege escalation via incorrect authorization in Progress Flowmon lets an authenticated low-privileged user abuse the PDF generation workflow to have operations executed under another user's identity, exposing sensitive data and permitting unauthorized configuration changes. It affects all Flowmon releases before 12.5.9 (12.x branch) and before 13.0.10 (13.x branch). No public exploit identified at time of analysis, and it is not listed in CISA KEV; the vendor CVSS 4.0 score is 8.7 (High).

Authentication Bypass Information Disclosure Flowmon
NVD VulDB
EPSS 0% CVSS 8.5
HIGH This Week

Progress Flowmon 12.x and 13.0.x contain a cross-site scripting (XSS) vulnerability allowing authenticated attackers to execute malicious JavaScript in administrator sessions via crafted links. Affected versions: Flowmon 12.x prior to 12.5.8 and 13.x prior to 13.0.6. CVSS 8.5 (High) reflects network-based delivery with low complexity requiring privileged access and user interaction. EPSS score of 0.05% (15th percentile) indicates minimal observed exploitation activity. No active exploitation confirmed (not in CISA KEV); SSVC designates exploitation status as 'none' with non-automatable attack requiring user interaction for total technical impact. Vendor Progress Software released patches addressing the XSS flaw.

XSS Flowmon
NVD
EPSS 0% CVSS 8.7
HIGH This Week

Progress Flowmon versions prior to 12.5.8 allow authenticated low-privileged users to execute arbitrary commands on the server by crafting malicious requests during the report generation process. The vulnerability stems from improper input validation in the report generation functionality, enabling command injection attacks. While no CVSS score or public exploit code has been disclosed at time of analysis, the direct path to remote code execution via an authenticated user represents a significant risk to Flowmon deployments.

Command Injection Flowmon
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy