CRITICAL🇵🇱 Wersja polska

CVE-2022-39036

CVSS 9.8v3.1pub. 2022-11-10upd. 2024-11-21

The file upload function of Agentflow BPM has insufficient filtering for special characters in URLs. An unauthenticated remote attacker can exploit this vulnerability to upload arbitrary file and execute arbitrary code to manipulate system or disrupt service.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Flowring Agentflow

    APP
    Flowring
    4.0.0.1183.552
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2026-2096CRITICAL9.3PL ✓ten sam produkt

Flowring Agentflow — brak uwierzytelnienia umożliwia manipulację bazą danych

CVE-2026-2095CRITICAL9.3PL ✓ten sam produkt

Pomijanie uwierzytelnienia w Flowring Agentflow — przejęcie tokenu dowolnego użytkownika

CVE-2025-3709CRITICAL9.8PL ✓ten sam produkt

Flowring Agentflow — pominięcie blokady konta umożliwia atak brute force

CVE-2026-2097HIGH8.7ten sam produkt

Agentflow developed by Flowring has an Arbitrary File Upload vulnerability, allowing authenticated remote atta...

CVE-2022-39037HIGH7.5ten sam produkt

Agentflow BPM file download function has a path traversal vulnerability. An unauthenticated remote attacker ca...