CVE-2025-26074
CRITICALOrg.conductoross Conductor-core < 3.21.13 - OS Command Injection
Title source: ruleDescription
Orkes Conductor v3.21.11 allows remote attackers to execute arbitrary OS commands through unrestricted access to Java classes.
References (3)
Core 3
Core References
Various Sources
https://medium.com/@mrcnry/cve-2025-26074-remote-code-execution-in-conductor-oss-via-inline-javascript-injection-5ce3cb651cfb
Various Sources
https://github.com/conductor-oss/conductor
Scores
CVSS v3
9.8
EPSS
0.0068
EPSS Percentile
71.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-78
Status
published
Products (1)
org.conductoross/conductor-core
0 - 3.21.13Maven
Published
Jun 30, 2025
Tracked Since
Feb 18, 2026