CVE-2022-39036

CRITICAL

Agentflow BPM - Unauthenticated Arbitrary File Upload and Remote Code Execution via URL Special Character Bypass

Title source: llm

Description

The file upload function of Agentflow BPM has insufficient filtering for special characters in URLs. An unauthenticated remote attacker can exploit this vulnerability to upload arbitrary file and execute arbitrary code to manipulate system or disrupt service.

References (2)

Core 2

Core References

Vendor Advisory

https://www.flowring.com/2022/09/19/%e7%94%a2%e5%93%81%e6%9b%b4%e6%96%b0agentflow-v4-0%e3%80%81v3-7%e5%a4%be%e6%aa%94%e5%8a%9f%e8%83%bd%e8%b3%87%e5%ae%89%e4%bf%ae%e6%ad%a3/

Third Party Advisory

https://www.twcert.org.tw/tw/cp-132-6682-21207-1.html

Scores

CVSS v3 9.8

EPSS 0.0115

EPSS Percentile 63.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-434

Status published

Products (1)

flowring/agentflow 4.0.0.1183.552

Published Nov 10, 2022

Tracked Since Feb 18, 2026