Skip to main content

Warm Flow

1 CVEs product

Monthly

CVE-2026-6125 Maven LOW POC PATCH GHSA Monitor

Remote code injection in Dromara warm-flow up to version 1.8.4 allows authenticated attackers to execute arbitrary code through the SpelHelper.parseExpression function via manipulation of listenerPath, skipCondition, or permissionFlag parameters in the Workflow Definition Handler. The vulnerability uses SpEL (Spring Expression Language) injection to achieve code execution with CVSS 6.3 severity. Publicly available exploit code exists and the flaw has been documented in the project's issue tracker.

Code Injection RCE Warm Flow
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

Remote code injection in Dromara warm-flow up to version 1.8.4 allows authenticated attackers to execute arbitrary code through the SpelHelper.parseExpression function via manipulation of listenerPath, skipCondition, or permissionFlag parameters in the Workflow Definition Handler. The vulnerability uses SpEL (Spring Expression Language) injection to achieve code execution with CVSS 6.3 severity. Publicly available exploit code exists and the flaw has been documented in the project's issue tracker.

Code Injection RCE Warm Flow
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy