CVE-2022-39036

CRITICAL

Agentflow BPM - RCE

Title source: llm

Description

The file upload function of Agentflow BPM has insufficient filtering for special characters in URLs. An unauthenticated remote attacker can exploit this vulnerability to upload arbitrary file and execute arbitrary code to manipulate system or disrupt service.

References (2)

Core 2

Core References

Vendor Advisory

https://www.flowring.com/2022/09/19/%e7%94%a2%e5%93%81%e6%9b%b4%e6%96%b0agentflow-v4-0%e3%80%81v3-7%e5%a4%be%e6%aa%94%e5%8a%9f%e8%83%bd%e8%b3%87%e5%ae%89%e4%bf%ae%e6%ad%a3/

Third Party Advisory

https://www.twcert.org.tw/tw/cp-132-6682-21207-1.html

Scores

CVSS v3 9.8

EPSS 0.0610

EPSS Percentile 90.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-434

Status published

Products (1)

flowring/agentflow 4.0.0.1183.552

Published Nov 10, 2022

Tracked Since Feb 18, 2026