Description
EasyFlow .NET developed by Digiwin has a Stored Cross-Site Scripting vulnerability, allowing authenticated remote attackers to inject persistent JavaScript code executed in users' browsers upon page load.
Published: 2026-06-22
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored Cross‑Site Scripting flaw has been discovered in Digiwin EasyFlow .NET. When a malicious authenticated user submits content that contains JavaScript code, the application saves the input and renders it unchanged the next time any user loads the affected page. The persistent script executes automatically in the victim’s browser, providing an attacker a venue for downstream attacks such as credential theft, defacement, phishing, or session hijacking.

Affected Systems

The vulnerability affects all deployments of Digiwin EasyFlow .NET that have not been upgraded to version 8.1.5 or later. The supplied CNA statement indicates that any instance running a pre‑8.1.5 release is susceptible; no specific build numbers are listed.

Risk and Exploitability

The CVSS score of 5.1 classifies this as moderate severity, reflecting the requirement that an attacker must be authenticated and that the impact is limited to users who view the exploited page. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalogue, suggesting no confirmed widespread exploitation at present. The likely attack vector is remote, authenticated: a partially trusted user can upload malicious payloads which then persist and impact other users who subsequently view the page.

Generated by OpenCVE AI on June 22, 2026 at 12:20 UTC.

Remediation

Vendor Solution

Update to version 8.1.5 or later.


OpenCVE Recommended Actions

  • Apply the vendor‑issued update by upgrading to EasyFlow .NET 8.1.5 or later.
  • Enhance input validation to reject or escape JavaScript code on submission, limiting content that can be posted by authenticated users.
  • Ensure the application outputs user‑supplied content using HTML‑encoding or equivalent measures to prevent execution of malicious scripts.

Generated by OpenCVE AI on June 22, 2026 at 12:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Digiwin
Digiwin easyflow .net
Vendors & Products Digiwin
Digiwin easyflow .net

Mon, 22 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 10:00:00 +0000

Type Values Removed Values Added
Description EasyFlow .NET developed by Digiwin has a Stored Cross-Site Scripting vulnerability, allowing authenticated remote attackers to inject persistent JavaScript code executed in users' browsers upon page load.
Title Digiwin|EasyFlow .NET - Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}


Subscriptions

Digiwin Easyflow .net
cve-icon MITRE

Status: PUBLISHED

Assigner: twcert

Published:

Updated: 2026-06-22T10:26:46.700Z

Reserved: 2026-06-18T06:51:12.509Z

Link: CVE-2026-12580

cve-icon Vulnrichment

Updated: 2026-06-22T10:26:41.956Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T13:00:11Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')