Description
The `flow/admin/moniteur.php` script in Use It Flow administration website before 10.0.0 is vulnerable to Remote Code Execution. When handling GET requests, the script takes user-supplied input from the `action` URL parameter, performs insufficient validation, and incorporates this input into a string that is subsequently executed by the `eval()` function. Although a `method_exists()` check is performed, it only validates the part of the user input *before* the first parenthesis `(`, allowing an attacker to append arbitrary PHP code after a valid method call structure. Successful exploitation allows an unauthenticated or trivially authenticated attacker to execute arbitrary PHP code on the server with the privileges of the web server process.
Published: 2026-03-16
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

The vulnerability stems from insufficient validation of the action GET parameter in the flow/admin/moniteur.php script of the Use It Flow administration interface. The script performs a method_exists() check only before the first parenthesis, then appends the rest of the input to a string that is evaluated by eval(). An attacker can therefore inject arbitrary PHP code after a valid method call, resulting in remote code execution. This flaw permits an unauthenticated or trivially authenticated attacker to run arbitrary code with the privileges of the web server, compromising confidentiality, integrity, and availability.

Affected Systems

The flaw affects the Use It Flow administration application on all releases earlier than version 10.0.0. No vendor or product identifier is listed in the CNA data, but references point to the Use It Flow site. Systems deploying the legacy admin module with direct access to flow/admin/moniteur.php are vulnerable.

Risk and Exploitability

The CVSS score of 8.8 classifies the vulnerability as high severity, though the EPSS score is below 1%, indicating low likelihood of current exploitation in the wild. The flaw is not yet listed in the CISA KEV catalog. Attackers can exploit the flaw remotely by issuing a crafted HTTP GET request to the vulnerable script; no special privilege or network restrictions are required. Given the wide-reaching impact and the simple attack vector, immediate action is warranted.

Generated by OpenCVE AI on March 17, 2026 at 16:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Use It Flow administration to version 10.0.0 or later
  • If an upgrade is not feasible, restrict access to the flow/admin/moniteur.php endpoint to trusted users only
  • Implement input sanitization to prevent eval execution or disable the eval functionality
  • Apply a web application firewall rule that blocks unexpected PHP code execution
  • Verify the web server runs with the least privilege and consider isolating the admin application

Generated by OpenCVE AI on March 17, 2026 at 16:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Title Use It Flow Admin Remote Code Execution via Unsanitized eval in action Parameter

Tue, 17 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Api
Api use It Flow
Vendors & Products Api
Api use It Flow

Mon, 16 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description The `flow/admin/moniteur.php` script in Use It Flow administration website before 10.0.0 is vulnerable to Remote Code Execution. When handling GET requests, the script takes user-supplied input from the `action` URL parameter, performs insufficient validation, and incorporates this input into a string that is subsequently executed by the `eval()` function. Although a `method_exists()` check is performed, it only validates the part of the user input *before* the first parenthesis `(`, allowing an attacker to append arbitrary PHP code after a valid method call structure. Successful exploitation allows an unauthenticated or trivially authenticated attacker to execute arbitrary PHP code on the server with the privileges of the web server process.
References

Subscriptions

Api Use It Flow
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-17T13:59:00.502Z

Reserved: 2025-06-16T00:00:00.000Z

Link: CVE-2025-50881

cve-icon Vulnrichment

Updated: 2026-03-17T13:58:42.287Z

cve-icon NVD

Status : Deferred

Published: 2026-03-16T21:16:16.670

Modified: 2026-04-27T19:18:46.690

Link: CVE-2025-50881

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T14:01:05Z

Weaknesses