12 matches found
CVE-2026-58138
Orkes Conductor 3.21.21 before 3.30.2 contains an unauthenticated remote code execution vulnerability that allows remote attackers to execute arbitrary OS commands by submitting inline workflow definitions containing malicious JavaScript or Python expressions to the workflow API endpoint prior to...
EUVD-2026-40377
Orkes Conductor 3.21.21 before 3.30.2 contains an unauthenticated remote code execution vulnerability that allows remote attackers to execute arbitrary OS commands by submitting inline workflow definitions containing malicious JavaScript or Python expressions to the workflow API endpoint prior to...
CVE-2026-58138
CVE-2026-58138 affects Orkes Conductor 3.21.21 up to, but not including, 3.30.2. The vulnerability arises from unsandboxed GraalVM evaluators built with HostAccess.ALL (or allowAllAccess(true)) used by INLINE, LAMBDA, DO_WHILE, and SWITCH task types, enabling an unauthenticated attacker to submit...
PT-2026-53941
Name of the Vulnerable Software and Affected Versions Orkes Conductor versions 3.21.21 through 3.30.1 Description An unauthenticated remote code execution issue exists that allows remote attackers to execute arbitrary OS commands. This occurs when malicious JavaScript or Python expressions are...
CVE-2025-26074
Orkes Conductor v3.21.11 allows remote attackers to execute arbitrary OS commands through unrestricted access to Java classes...
GHSA-8GQP-HR9G-PG62 Conductor vulnerable to OS command injection through unrestricted access to Java classes
Orkes Conductor v3.21.11 allows remote attackers to execute arbitrary OS commands through unrestricted access to Java classes...
CVE-2025-26074
Orkes Conductor v3.21.11 allows remote attackers to execute arbitrary OS commands through unrestricted access to Java classes...
CVE-2025-26074
Orkes Conductor v3.21.11 allows remote attackers to execute arbitrary OS commands through unrestricted access to Java classes...
CVE-2025-26074
Orkes Conductor v3.21.11 allows remote attackers to execute arbitrary OS commands through unrestricted access to Java classes...
CVE-2025-26074
Orkes Conductor v3.21.11 is affected. The issue arises from unrestricted access to Java classes, enabling remote command execution via the ScriptEvaluator path (inline JavaScript injection). Impact is OS command execution with high severity per CVSS, with network attack vector and no user interac...
CVE-2025-26074
Orkes Conductor v3.21.11 allows remote attackers to execute arbitrary OS commands through unrestricted access to Java classes...
PT-2025-27453 · Orkes · Orkes Conductor
Name of the Vulnerable Software and Affected Versions: Orkes Conductor version 3.21.11 Description: The issue allows remote attackers to execute arbitrary OS commands through unrestricted access to Java classes. This can lead to remote code execution in Orkes Conductor. Recommendations: Update to...