Description
A vulnerability exists in Progress Flowmon versions prior to 12.5.8 and 13.0.6, whereby an administrator who clicks a malicious link provided by an attacker may inadvertently trigger unintended actions within their authenticated web session.
Published: 2026-04-02
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unintended privileged actions via malicious link for authenticated admin
Action: Apply upgrade
AI Analysis

Impact

A vulnerability exists in Progress Flowmon versions prior to 12.5.8 and 13.0.6 that allows an administrator who clicks a malicious link to inadvertently trigger unintended actions within their authenticated web session. This can grant the attacker unauthorized operations as the admin user, leading to potential compromise of the system. The weakness is classified as a cross‑site scripting flaw (CWE‑79).

Affected Systems

The affected product is Progress Software Flowmon. Versions before 12.5.8 and 13.0.6 are impacted. No additional product or version details are provided.

Risk and Exploitability

The CVSS score of 8.5 indicates a high severity. The EPSS score is unavailable, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves a phishing or social‑engineering scenario where an authenticated administrator clicks a malicious link; the exploitation is conditioned on the presence of an admin session. While the vulnerability is serious, the attacker must obtain or coerce an admin to act, which reduces the likelihood compared to purely remote exploits, but the consequences remain significant if successful.

Generated by OpenCVE AI on April 2, 2026 at 15:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Flowmon to version 12.5.8 or newer, or to 13.0.6 or newer, whichever applies
  • Educate administrators to avoid clicking unknown or unsolicited links

Generated by OpenCVE AI on April 2, 2026 at 15:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Progress Software
Progress Software flowmon
Vendors & Products Progress Software
Progress Software flowmon

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Description A vulnerability exists in Progress Flowmon versions prior to 12.5.8 and 13.0.6, whereby an administrator who clicks a malicious link provided by an attacker may inadvertently trigger unintended actions within their authenticated web session.
Title Possibility of unintended actions when an administrator clicks a malicious link in the Progress Flowmon web application
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N'}

Subscriptions

Progress Software Flowmon
cve-icon MITRE

Status: PUBLISHED

Assigner: ProgressSoftware

Published:

Updated: 2026-04-03T03:55:29.158Z

Reserved: 2026-02-19T09:21:34.082Z

Link: CVE-2026-2737

cve-icon Vulnrichment

Updated: 2026-04-02T13:51:34.715Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-02T14:16:28.087

Modified: 2026-04-03T16:10:52.680

Link: CVE-2026-2737

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:21:13Z

Weaknesses