Lucene search
K

662 matches found

Nuclei
Nuclei
added yesterday40 views

JEHC-BPM - Remote Code Execute

A Remote Command Execution vulnerability in the component /server/executeExec of JEHC-BPM = v2.0.1 allows attackers to execute arbitrary code. The vulnerability exists due to insufficient authorization checks in the executeExec endpoint which allows direct command execution. id: CVE-2025-45854...

10CVSS6.3AI score0.02685EPSS
Exploits1References2
EUVD
EUVD
added 2026/07/01 12:34 a.m.7 views

EUVD-2026-40416

yudao-cloud before 2026.06 contains a broken access control vulnerability in the BPM module that allows any authenticated user to access arbitrary process instance records by supplying a caller-controlled process-instance identifier to an unprotected endpoint lacking the @PreAuthorize annotation...

7.1CVSS5.9AI score0.00235EPSS
Exploits0References4
NVD
NVD
added 2026/06/30 10:16 p.m.11 views

CVE-2026-58448

yudao-cloud before 2026.06 contains a broken access control vulnerability in the BPM module that allows any authenticated user to access arbitrary process instance records by supplying a caller-controlled process-instance identifier to an unprotected endpoint lacking the @PreAuthorize annotation...

7.1CVSS0.00235EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/30 9:6 p.m.37 views

CVE-2026-58448 yudao-cloud < 2026.06 - BPM Module Broken Access Control via process-instance API

yudao-cloud before 2026.06 contains a broken access control vulnerability in the BPM module that allows any authenticated user to access arbitrary process instance records by supplying a caller-controlled process-instance identifier to an unprotected endpoint lacking the @PreAuthorize annotation...

7.1CVSS0.00235EPSS
Exploits0References3
CVE
CVE
added 2026/06/30 9:6 p.m.17 views

CVE-2026-58448

CVE-2026-58448 affects yudao-cloud (BPM module) prior to 2026.06. A broken access control flaw allows any authenticated user to read arbitrary process instance records by supplying a caller-controlled process-instance identifier to an unprotected GET endpoint that lacks the @PreAuthorize annotati...

7.1CVSS5.9AI score0.00235EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.7 views

PT-2026-53997

Name of the Vulnerable Software and Affected Versions yudao-cloud versions prior to 2026.06 Description A broken access control issue exists in the BPM module. An authenticated user can access arbitrary process instance records by providing a caller-controlled process-instance identifier to an...

7.1CVSS6AI score0.00235EPSS
Exploits0References8
EUVD
EUVD
added 2026/06/18 6:30 p.m.11 views

EUVD-2026-37929

setupBpmLogs follows symlink for bpm.log open and chown — container-to-host privilege escalation via /etc/shadow. A compromised process inside a bpm container can cause root to chown an arbitrary host file to vcap and append bpm JSON log lines to it. The chown alone lets the attacker take ownersh...

6.9CVSS5.4AI score0.00125EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.13 views

PT-2026-50775

Name of the Vulnerable Software and Affected Versions bpm-release versions prior to v1.4.30 Description A container-to-host privilege escalation exists where the setupBpmLogs function follows symlinks for bpm.log during open and chown operations. A compromised process within a bpm container can...

6.9CVSS6.1AI score0.00125EPSS
Exploits0References5
Cloud Foundry
Cloud Foundry
added 2026/06/18 12:0 a.m.6 views

CVE-2026-47833 - Symlink vulnerability in setupBpmLogs allows container-to-host privilege escalation via /etc/shadow | Cloud Foundry

Medium CVSS score: 6.8 Medium CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/S:U/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N Vendor Cloud Foundry Foundation Versions Affected Severity is Medium unless otherwise noted. bpm-release – All versions prior to v1.4.30 Description setupBpmLogs follows symlink for bpm.log open and...

6.9CVSS5.6AI score0.00125EPSS
Exploits0
RedhatCVE
RedhatCVE
added 2026/06/05 7:39 p.m.11 views

CVE-2026-34284

Vulnerability in the Oracle Business Process Management Suite product of Oracle Fusion Middleware component: Human workflow 11g+. Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to...

6.1CVSS7.3AI score0.00179EPSS
Exploits0References1
IBM Security Bulletins
IBM Security Bulletins
added 2026/05/26 5:16 p.m.12 views

Security Bulletin: Due to the use of mchange-commons-java, IBM webMethods BPM is vulnerable to malicious code execution (CVE-2026-27727).

Summary IBM webMethods BPM includes the standalone utility which includes the vulnerable component mchange-commons-java. The tool operates as a standalone utility and is not part of the main runtime environments. Vulnerability Details CVEID:CVE-2026-27727 DESCRIPTION: mchange-commons-java, a...

9.8CVSS6.1AI score0.00812EPSS
Exploits1Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2026/05/26 5:14 p.m.10 views

Security Bulletin: Due to the use of c3p0, IBM webMethods BPM is vulnerable to attack via maliciously crafted Java-serialized objects (CVE-2026-27830)

Summary IBM webMethods BPM includes the standalone utility which includes the vulnerable component c3p0. The tool operates as a standalone utility and is not part of the main runtime environments. Vulnerability Details CVEID:CVE-2026-27830 DESCRIPTION: c3p0, a JDBC Connection pooling library, is...

8.9CVSS6.1AI score0.00534EPSS
Exploits0Affected Software1
NVD
NVD
added 2026/04/21 9:16 p.m.10 views

CVE-2026-34284

Vulnerability in the Oracle Business Process Management Suite product of Oracle Fusion Middleware component: Human workflow 11g+. Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to...

6.1CVSS0.00179EPSS
Exploits0References1
IBM Security Bulletins
IBM Security Bulletins
added 2026/04/17 8:29 a.m.5 views

Security Bulletin: IBM webMethods BPM is vulnerable to a denial of service due to openid4java

Summary IBM webMethods BPM uses openid4java to implement OpenID-based authentication Vulnerability Details CVEID:CVE-2011-4314 DESCRIPTION: message/ax/AxMessage.java in OpenID4Java before 0.9.6 final, as used in JBoss Enterprise Application Platform 5.1 before 5.1.2, Step2, Kay Framework before...

5.8CVSS5.9AI score0.03201EPSS
Exploits1Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2026/04/17 6:48 a.m.5 views

Security Bulletin: Due to use of jackrabbit-spi-commons IBM webMethods BPM is vulnerable to loading privileges using unsecured document build

Summary IBM webMethods BPM is using jackrabbit-spi-commons which is affected by a known vulnerability CVE-2025-53689. This security bulletin provides guidance on addressing the vulnerability. Vulnerability Details CVEID:CVE-2025-58782 DESCRIPTION: Deserialization of Untrusted Data vulnerability i...

8.8CVSS6.3AI score0.01286EPSS
Exploits0Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2026/03/30 5:52 a.m.8 views

Security Bulletin: IBM webMethods BPM is vulnerable to a denial of service due to rhino

Summary IBM webMethods BPM uses rhino to embed a JavaScript engine for executing internal scripts related to business logic and configuration. Vulnerability Details CVEID:CVE-2025-66453 DESCRIPTION: Rhino is an open-source implementation of JavaScript written entirely in Java. Prior to 1.8.1,...

7.5CVSS6.8AI score0.00235EPSS
Exploits0Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2026/03/27 6:6 p.m.3 views

Security Bulletin: IBM webMethods BPM is vulnerable to a denial of service due to JSON-Java

Summary IBM webMethods BPM uses JSON-Java for reading and parsing of JSON data. Vulnerability Details CVEID:CVE-2023-5072 DESCRIPTION: Denial of Service in JSON-Java versions up to and including 20230618. A bug in the parser means that an input string of modest size can lead to indefinite amounts...

7.5CVSS5.9AI score0.01449EPSS
Exploits6Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2026/03/27 5:59 p.m.4 views

Security Bulletin: IBM webMethods BPM is vulnerable to a denial of service due to commons-io

Summary IBM webMethods BPM uses commons-io to simplify file and stream handling operations within the application, such as reading, writing, and manipulating files and input/output streams. Vulnerability Details CVEID:CVE-2021-29425 DESCRIPTION: In Apache Commons IO before 2.7, When invoking the...

5.8CVSS5.9AI score0.10608EPSS
Exploits1Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2026/03/27 5:58 p.m.4 views

Security Bulletin: IBM webMethods BPM is vulnerable to a denial of service due to jetty

Summary IBM webMethods BPM uses jetty to enable embedded web server capabilities within the application. Vulnerability Details CVEID:CVE-2024-6763 DESCRIPTION: Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for...

5.3CVSS5.9AI score0.00986EPSS
Exploits1Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2026/03/27 8:6 a.m.12 views

Security Bulletin: Due to the use of jetty IBM webMethods BPM is vulnerable to multiple vulnerabilities

Summary IBM webMethods BPM is dependant on jetty which is affected by known vulnerabilities CVE-2019-17638, CVE-2020-27218, CVE-2021-28169, CVE-2021-34428, CVE-2022-2047, CVE-2023-26048, CVE-2023-26049, CVE-2024-13009, CVE-2024-8184 Vulnerability Details CVEID:CVE-2019-17638 DESCRIPTION: In Eclip...

9.4CVSS7AI score0.7848EPSS
Exploits3Affected Software1
Rows per page
Query Builder