The vulnerability is a cross‑site scripting flaw (CWE‑79) that allows an administrator who clicks a malicious link to trigger unintended actions within their authenticated web session. Because the attacker can instruct the web application to perform these actions while the user remains logged in, the flaw can lead to unauthorized modifications to configuration or data, potentially compromising confidentiality and integrity. The description explicitly states that the event occurs only when an admin clicks a link, indicating that the impact is executed through the user's browser and the administrator’s privileges.

Progress Software Flowmon ADS versions earlier than 12.5.5 and 13.0.3 are affected. The flaw applies to all installations of these product releases where administrators have access to the web interface.

The CVSS score of 8.6 labels the vulnerability as High severity, and its EPSS score of less than 1% suggests a low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog, indicating no known large‑scale exploitation at this time. Exploitation requires an administrator to be authenticated in the web application and to click a crafted link, implying that the attack vector is user‑interaction based and the attacker must deliver or entice the user with the malicious URL. Given the high severity but low EPSS, the overall risk is moderate pending user awareness and readiness to apply the available patch.