Description
ProcessMaker 3.5.4 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting improper path traversal validation. Attackers can send requests with directory traversal sequences to access sensitive system files like /etc/passwd without authentication.
Published: 2026-05-16
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ProcessMaker 3.5.4 contains a local file inclusion flaw that allows unauthenticated attackers to read arbitrary files on the host by sending HTTP requests with directory traversal sequences. The vulnerability is a CWE‑98 path traversal weakness. An attacker can access sensitive files such as /etc/passwd without authentication, leading to confidentiality compromise. No code execution is achieved.

Affected Systems

ProcessMaker in version 3.5.4. No other versions are explicitly listed as affected.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity vulnerability. The EPSS score is not available, and the flaw is not listed in CISA KEV, but the lack of authentication requirements and the ability to read system files raise a moderate risk. An attacker can trigger the flaw by crafting a URL with directory traversal characters, targeting the vulnerable endpoint, and obtaining file contents. Precautionary measures are required even though there is no known exploit in the wild.

Generated by OpenCVE AI on May 16, 2026 at 16:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update ProcessMaker to a fixed version (e.g., 3.5.5 or newer).
  • If an upgrade cannot be performed immediately, configure the web server or application to disable or filter directory traversal sequences and restrict access to sensitive files.
  • Implement network segmentation or firewall rules to limit external exposure of the application and monitor access logs for suspicious traversal attempts.

Generated by OpenCVE AI on May 16, 2026 at 16:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 16 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description ProcessMaker 3.5.4 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting improper path traversal validation. Attackers can send requests with directory traversal sequences to access sensitive system files like /etc/passwd without authentication.
Title ProcessMaker 3.5.4 Local File Inclusion via Path Traversal
First Time appeared Processmaker
Processmaker processmaker
Weaknesses CWE-98
CPEs cpe:2.3:a:processmaker:processmaker:*:*:*:*:*:*:*:*
Vendors & Products Processmaker
Processmaker processmaker
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Processmaker Processmaker
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-16T15:28:14.305Z

Reserved: 2026-05-16T14:47:29.875Z

Link: CVE-2021-47978

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-16T16:16:23.360

Modified: 2026-05-16T16:16:23.360

Link: CVE-2021-47978

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-16T17:15:26Z

Weaknesses