Description
ProcessMaker 3.5.4 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting improper path traversal validation. Attackers can send requests with directory traversal sequences to access sensitive system files like /etc/passwd without authentication.
Published: 2026-05-16
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ProcessMaker 3.5.4 contains a local file inclusion flaw that allows unauthenticated attackers to read arbitrary files on the host by sending HTTP requests with directory traversal sequences. The vulnerability is a CWE‑98 path traversal weakness. An attacker can access sensitive files such as /etc/passwd without authentication, leading to confidentiality compromise. No code execution is achieved.

Affected Systems

ProcessMaker in version 3.5.4. No other versions are explicitly listed as affected.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity vulnerability. The EPSS score is not available, and the flaw is not listed in CISA KEV, but the lack of authentication requirements and the ability to read system files raise a moderate risk. An attacker can trigger the flaw by crafting a URL with directory traversal characters, targeting the vulnerable endpoint, and obtaining file contents. Precautionary measures are required even though there is no known exploit in the wild.

Generated by OpenCVE AI on May 16, 2026 at 16:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update ProcessMaker to a fixed version (e.g., 3.5.5 or newer).
  • If an upgrade cannot be performed immediately, configure the web server or application to disable or filter directory traversal sequences and restrict access to sensitive files.
  • Implement network segmentation or firewall rules to limit external exposure of the application and monitor access logs for suspicious traversal attempts.

Generated by OpenCVE AI on May 16, 2026 at 16:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 18 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 16 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description ProcessMaker 3.5.4 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting improper path traversal validation. Attackers can send requests with directory traversal sequences to access sensitive system files like /etc/passwd without authentication.
Title ProcessMaker 3.5.4 Local File Inclusion via Path Traversal
First Time appeared Processmaker
Processmaker processmaker
Weaknesses CWE-98
CPEs cpe:2.3:a:processmaker:processmaker:*:*:*:*:*:*:*:*
Vendors & Products Processmaker
Processmaker processmaker
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Processmaker Processmaker
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-18T17:53:17.293Z

Reserved: 2026-05-16T14:47:29.875Z

Link: CVE-2021-47978

cve-icon Vulnrichment

Updated: 2026-05-18T17:10:13.323Z

cve-icon NVD

Status : Deferred

Published: 2026-05-16T16:16:23.360

Modified: 2026-05-18T17:32:04.823

Link: CVE-2021-47978

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-16T17:15:26Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')