CVE-2021-47978

CVE-2021-47978 : ProcessMaker 3.5.4 contains a Local File Inclusion (LFI) flaw caused by improper path traversal validation. Unauthenticated attackers can access arbitrary files by sending directory traversal sequences, potentially reading sensitive files such as /etc/passwd. The vulnerability is...

EUVD-2025-21034

Malicious code in bioql PyPI...

CVE-2013-10035

A code injection vulnerability exists in ProcessMaker Open Source versions 2.x when using the default 'neoclassic' skin. An authenticated user can execute arbitrary PHP code via multiple endpoints, including appFolderAjax.php, casesStartPageAjax.php, and casesSchedulerGetPlugins.php, by supplying...

CVE-2025-34097

An unrestricted file upload vulnerability exists in ProcessMaker versions prior to 3.5.4 due to improper handling of uploaded plugin archives. An attacker with administrative privileges can upload a malicious .tar plugin file containing arbitrary PHP code. Upon installation, the plugin’s install...

CVE-2025-34097

An unrestricted file upload vulnerability exists in ProcessMaker versions prior to 3.5.4 due to improper handling of uploaded plugin archives. An attacker with administrative privileges can upload a malicious .tar plugin file containing arbitrary PHP code. Upon installation, the plugin’s install...

CVE-2025-34097 ProcessMaker < 3.5.4 Authenticated Plugin Upload RCE

An unrestricted file upload vulnerability exists in ProcessMaker versions prior to 3.5.4 due to improper handling of uploaded plugin archives. An attacker with administrative privileges can upload a malicious .tar plugin file containing arbitrary PHP code. Upon installation, the plugin’s install...

CVE-2025-34097

CVE-2025-34097 : Unrestricted file upload in ProcessMaker

CVE-2025-34097 ProcessMaker < 3.5.4 Authenticated Plugin Upload RCE

An unrestricted file upload vulnerability exists in ProcessMaker versions prior to 3.5.4 due to improper handling of uploaded plugin archives. An attacker with administrative privileges can upload a malicious .tar plugin file containing arbitrary PHP code. Upon installation, the plugin’s install...

PT-2025-29139 · Unknown · Processmaker

Name of the Vulnerable Software and Affected Versions: ProcessMaker versions prior to 3.5.4 Description: An unrestricted file upload vulnerability exists due to improper handling of uploaded plugin archives. An attacker with administrative privileges can upload a malicious .tar plugin file...

CVE-2024-25506

Cross Site Scripting vulnerability in Process Maker, Inc ProcessMaker before 4.0 allows a remote attacker to run arbitrary code via control of the pmsyssys cookie...

PT-2022-24467 · Unknown · Processmaker

Name of the Vulnerable Software and Affected Versions: ProcessMaker versions prior to 3.5.4 Description: The issue is related to insecure permissions in the user profile page, allowing attackers to escalate normal users to Administrators. Recommendations: For versions prior to 3.5.4, update to...