Skip to main content

Linqi

10 CVEs product

Monthly

CVE-2026-11369 HIGH This Week

Cross-tenant comment access in linqi BPM platform versions through 1.4.8.5 allows any authenticated user to read and write comments on arbitrary process objects across all business units by supplying a chosen GUID to the /api/Comment endpoints. The flaw stems from missing authorization checks on the relatedObjectId parameter and carries a CVSS 4.0 score of 7.1 with no public exploit identified at time of analysis. Because exploitation requires only low-privilege credentials and no user interaction, it is well-suited to insider abuse or post-compromise lateral movement within multi-tenant deployments.

Authentication Bypass Linqi
NVD
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-11346 MEDIUM PATCH This Month

Server-side request forgery in linqi's custom process creation feature allows authenticated attackers to conduct internal network reconnaissance by forcing the server to issue arbitrary outbound HTTP requests. Affected product is linqi by linqi GmbH (all versions per CPE cpe:2.3:a:linqi_gmbh:linqi:*). By embedding a crafted HTTP Request component inside a custom workflow process, the attacker can enumerate internal hosts and open ports through differential response analysis (Success, Failed, or 504 Gateway Time-out). No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

SSRF Linqi
NVD
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-11345 MEDIUM PATCH This Month

Authentication bypass in linqi's /api/Cdn/GetFile endpoint allows unauthenticated remote attackers to circumvent the ValidateAnonFileAccess authorization check by supplying an 'AnonFile' query parameter of exactly 256 characters. Despite the CVSS 4.0 score of 6.9 and a PR:N/AC:L attack vector suggesting easy, unauthenticated exploitation, the vendor's own advisory explicitly confirms the security impact is negligible: the only resources accessible via this bypass are minified JavaScript and CSS files already served publicly through a CDN. No public exploit code has been identified at time of analysis, and there is no CISA KEV listing.

Authentication Bypass Information Disclosure Linqi
NVD
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-11347 HIGH This Week

Cryptographic weaknesses in the linqi application (versions ≤1.4.8.5) allow local attackers with low-level privileges to decrypt sensitive obfuscated configuration data, including database connection strings stored in appsettings.json. The flaw combines hardcoded cryptographic keys (CWE-321) with a weak, limited-ASCII-charset algorithm for dynamically generating AES/CBC Initialization Vectors, enabling known-plaintext attacks. No public exploit identified at time of analysis, and the CVE is not present in CISA KEV, but the CVSS 4.0 score of 8.5 reflects high confidentiality and integrity impact.

Information Disclosure Linqi
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2024-33868 CRITICAL Act Now

An issue was discovered in linqi before 1.4.0.1 on Windows. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection LDAP Microsoft Linqi
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2024-33867 MEDIUM This Month

An issue was discovered in linqi before 1.4.0.1 on Windows. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Microsoft Linqi
NVD
CVSS 3.1
4.8
EPSS
0.2%
CVE-2024-33866 MEDIUM This Month

An issue was discovered in linqi before 1.4.0.1 on Windows. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Microsoft Linqi
NVD
CVSS 3.1
5.5
EPSS
0.4%
CVE-2024-33865 HIGH This Week

An issue was discovered in linqi before 1.4.0.1 on Windows. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Microsoft Linqi
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2024-33864 MEDIUM This Month

An issue was discovered in linqi before 1.4.0.1 on Windows. Rated medium severity (CVSS 5.9), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

SSRF Microsoft Linqi
NVD
CVSS 3.1
5.9
EPSS
0.5%
CVE-2024-33863 CRITICAL Act Now

An issue was discovered in linqi before 1.4.0.1 on Windows. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

LFI PHP Information Disclosure Microsoft Linqi
NVD
CVSS 3.1
9.8
EPSS
0.6%
EPSS 0% CVSS 7.1
HIGH This Week

Cross-tenant comment access in linqi BPM platform versions through 1.4.8.5 allows any authenticated user to read and write comments on arbitrary process objects across all business units by supplying a chosen GUID to the /api/Comment endpoints. The flaw stems from missing authorization checks on the relatedObjectId parameter and carries a CVSS 4.0 score of 7.1 with no public exploit identified at time of analysis. Because exploitation requires only low-privilege credentials and no user interaction, it is well-suited to insider abuse or post-compromise lateral movement within multi-tenant deployments.

Authentication Bypass Linqi
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Server-side request forgery in linqi's custom process creation feature allows authenticated attackers to conduct internal network reconnaissance by forcing the server to issue arbitrary outbound HTTP requests. Affected product is linqi by linqi GmbH (all versions per CPE cpe:2.3:a:linqi_gmbh:linqi:*). By embedding a crafted HTTP Request component inside a custom workflow process, the attacker can enumerate internal hosts and open ports through differential response analysis (Success, Failed, or 504 Gateway Time-out). No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

SSRF Linqi
NVD
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Authentication bypass in linqi's /api/Cdn/GetFile endpoint allows unauthenticated remote attackers to circumvent the ValidateAnonFileAccess authorization check by supplying an 'AnonFile' query parameter of exactly 256 characters. Despite the CVSS 4.0 score of 6.9 and a PR:N/AC:L attack vector suggesting easy, unauthenticated exploitation, the vendor's own advisory explicitly confirms the security impact is negligible: the only resources accessible via this bypass are minified JavaScript and CSS files already served publicly through a CDN. No public exploit code has been identified at time of analysis, and there is no CISA KEV listing.

Authentication Bypass Information Disclosure Linqi
NVD
EPSS 0% CVSS 8.5
HIGH This Week

Cryptographic weaknesses in the linqi application (versions ≤1.4.8.5) allow local attackers with low-level privileges to decrypt sensitive obfuscated configuration data, including database connection strings stored in appsettings.json. The flaw combines hardcoded cryptographic keys (CWE-321) with a weak, limited-ASCII-charset algorithm for dynamically generating AES/CBC Initialization Vectors, enabling known-plaintext attacks. No public exploit identified at time of analysis, and the CVE is not present in CISA KEV, but the CVSS 4.0 score of 8.5 reflects high confidentiality and integrity impact.

Information Disclosure Linqi
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

An issue was discovered in linqi before 1.4.0.1 on Windows. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection LDAP Microsoft +1
NVD
EPSS 0% CVSS 4.8
MEDIUM This Month

An issue was discovered in linqi before 1.4.0.1 on Windows. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Microsoft Linqi
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

An issue was discovered in linqi before 1.4.0.1 on Windows. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Microsoft Linqi
NVD
EPSS 1% CVSS 7.5
HIGH This Week

An issue was discovered in linqi before 1.4.0.1 on Windows. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Microsoft Linqi
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

An issue was discovered in linqi before 1.4.0.1 on Windows. Rated medium severity (CVSS 5.9), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

SSRF Microsoft Linqi
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

An issue was discovered in linqi before 1.4.0.1 on Windows. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

LFI PHP Information Disclosure +2
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy