CVE-2021-47978

MEDIUM

ProcessMaker 3.5.4 Local File Inclusion via Path Traversal

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-47978. PoCs published by Ai Ho.

AI-analyzed exploit summary The exploit demonstrates a Local File Inclusion (LFI) vulnerability in ProcessMaker <= 3.5.4 by using path traversal sequences to access sensitive files like /etc/passwd. The provided curl command and Jaeles scanner signature confirm the vulnerability's exploitability.

Description

ProcessMaker 3.5.4 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting improper path traversal validation. Attackers can send requests with directory traversal sequences to access sensitive system files like /etc/passwd without authentication.

Exploits (1)

exploitdb WORKING POC

by Ai Ho · textwebappsmultiple

https://www.exploit-db.com/exploits/50229

View Code ZIP pw:eip

The exploit demonstrates a Local File Inclusion (LFI) vulnerability in ProcessMaker <= 3.5.4 by using path traversal sequences to access sensitive files like /etc/passwd. The provided curl command and Jaeles scanner signature confirm the vulnerability's exploitability.

Classification

Working Poc 100%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: ProcessMaker <= 3.5.4

No auth needed

Prerequisites: network access to the target server

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed May 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit exploit

ExploitDB-50229

https://www.exploit-db.com/exploits/50229

Product product

Official Product Homepage

https://www.processmaker.com/

Third Party Advisory third-party-advisory

VulnCheck Advisory: ProcessMaker 3.5.4 Local File Inclusion via Path Traversal

https://www.vulncheck.com/advisories/processmaker-local-file-inclusion-via-path-traversal

Scores

CVSS v3 6.2

EPSS 0.0078

EPSS Percentile 51.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-98

Status published

Products (1)

Processmaker/ProcessMaker < 3.5.4

Published May 16, 2026

Tracked Since May 16, 2026