Description
In Progress Flowmon ADS versions prior to 12.5.5 and 13.0.3, a vulnerability exists whereby an adversary with access to Flowmon monitoring ports may craft malicious network data that, when processed by Flowmon ADS and viewed by an authenticated user, could result in unintended actions being executed in the user's browser context.
Published: 2026-03-12
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Unintended Browser Actions
Action: Patch ASAP
AI Analysis

Impact

A flaw in Progress Flowmon ADS allows maliciously crafted network data to be processed by the application and, when viewed by an authenticated user, can trigger unintended actions within the user's browser context. The vulnerability is a form of client‑side code injection, relating to the CWE‑79 (XSS) weakness reported by the vendor.

Affected Systems

The issue affects Progress Software Flowmon ADS versions prior to 12.5.5 and 13.0.3. Any deployed instance using those versions is susceptible; newer releases contain the fix.

Risk and Exploitability

The CVSS score of 8.6 indicates high severity. EPSS is listed as <1%, implying a low but non‑zero probability of exploitation in the wild, and the vulnerability is not catalogued in CISA's KEV. An attacker must have access to the Flowmon monitoring ports to craft the malicious payload, and the victim must be an authenticated user who opens the affected data in a web browser. Although the exploitation vector is relatively narrow, the impact is significant due to the potential for arbitrary JavaScript execution in the user's context.

Generated by OpenCVE AI on March 18, 2026 at 14:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Flowmon ADS to version 12.5.5 or later for the 12.x line, or to 13.0.3 or later for the 13.x line.
  • Restrict access to the Flowmon monitoring ports to trusted networks or authorised personnel only.
  • If a patch cannot be applied immediately, disable or restrain the viewing of network data for authenticated users until the vulnerability is remediated.

Generated by OpenCVE AI on March 18, 2026 at 14:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Progress Software
Progress Software flowmon Ads
Vendors & Products Progress Software
Progress Software flowmon Ads

Thu, 12 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Description In Progress Flowmon ADS versions prior to 12.5.5 and 13.0.3, a vulnerability exists whereby an adversary with access to Flowmon monitoring ports may craft malicious network data that, when processed by Flowmon ADS and viewed by an authenticated user, could result in unintended actions being executed in the user's browser context.
Title Possibility of unintended actions when viewing maliciously crafted network data in Progress Flowmon ADS web application
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N'}

Subscriptions

Progress Software Flowmon Ads
cve-icon MITRE

Status: PUBLISHED

Assigner: ProgressSoftware

Published:

Updated: 2026-03-13T03:55:43.039Z

Reserved: 2026-02-14T09:56:25.024Z

Link: CVE-2026-2514

cve-icon Vulnrichment

Updated: 2026-03-12T14:07:52.897Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-12T13:16:14.203

Modified: 2026-03-12T21:07:53.427

Link: CVE-2026-2514

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:49:48Z

Weaknesses