{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2513", "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "state": "PUBLISHED", "assignerShortName": "ProgressSoftware", "dateReserved": "2026-02-14T09:56:23.317Z", "datePublished": "2026-03-12T12:58:59.894Z", "dateUpdated": "2026-03-13T03:55:42.297Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "shortName": "ProgressSoftware", "dateUpdated": "2026-03-12T12:58:59.894Z"}, "title": "Possibility of unintended actions when an administrator clicks a malicious link in the Progress Flowmon ADS web application", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "affected": [{"vendor": "Progress Software", "product": "Flowmon ADS", "versions": [{"status": "affected", "version": "Flowmon ADS 12 versions prior to 12.5.5", "versionType": "custom"}, {"status": "affected", "version": "Flowmon ADS 13 versions prior to 13.0.3", "versionType": "custom"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "A vulnerability exists in Progress Flowmon ADS versions prior to 12.5.5 and 13.0.3, whereby an administrator who clicks a malicious link provided by an attacker may inadvertently trigger unintended actions within their authenticated web session.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "A vulnerability exists in Progress Flowmon ADS versions prior to 12.5.5 and 13.0.3, whereby an administrator who clicks a malicious link provided by an attacker may inadvertently trigger unintended actions within their authenticated web session."}]}], "references": [{"url": "https://community.progress.com/s/article/CVE-2026-2513-Progress-Flowmon-ADS", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.6, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N"}}], "source": {"discovery": "INTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-2513"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T03:55:42.297Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2513", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-12T14:10:01.680200Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T14:11:50.761Z"}}], "cna": {"title": "Possibility of unintended actions when an administrator clicks a malicious link in the Progress Flowmon ADS web application", "source": {"discovery": "INTERNAL"}, "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Progress Software", "product": "Flowmon ADS", "versions": [{"status": "affected", "version": "Flowmon ADS 12 versions prior to 12.5.5", "versionType": "custom"}, {"status": "affected", "version": "Flowmon ADS 13 versions prior to 13.0.3", "versionType": "custom"}], "defaultStatus": "affected"}], "references": [{"url": "https://community.progress.com/s/article/CVE-2026-2513-Progress-Flowmon-ADS", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "A vulnerability exists in Progress Flowmon ADS versions prior to 12.5.5 and 13.0.3, whereby an administrator who clicks a malicious link provided by an attacker may inadvertently trigger unintended actions within their authenticated web session.", "supportingMedia": [{"type": "text/html", "value": "A vulnerability exists in Progress Flowmon ADS versions prior to 12.5.5 and 13.0.3, whereby an administrator who clicks a malicious link provided by an attacker may inadvertently trigger unintended actions within their authenticated web session.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "shortName": "ProgressSoftware", "dateUpdated": "2026-03-12T12:58:59.894Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2513", "state": "PUBLISHED", "dateUpdated": "2026-03-12T14:11:58.506Z", "dateReserved": "2026-02-14T09:56:23.317Z", "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "datePublished": "2026-03-12T12:58:59.894Z", "assignerShortName": "ProgressSoftware"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability exists in Progress Flowmon ADS versions prior to 12.5.5 and 13.0.3, whereby an administrator who clicks a malicious link provided by an attacker may inadvertently trigger unintended actions within their authenticated web session."}], "id": "CVE-2026-2513", "lastModified": "2026-03-12T21:07:53.427", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security@progress.com", "type": "Secondary"}]}, "published": "2026-03-12T13:16:14.023", "references": [{"source": "security@progress.com", "url": "https://community.progress.com/s/article/CVE-2026-2513-Progress-Flowmon-ADS"}], "sourceIdentifier": "security@progress.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@progress.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,12.5.5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,13.0.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Flowmon ADS", "source": "cna", "vendor": "Progress Software"}, "product": "flowmon_ads", "vendor": "progress_software"}], "analysis": {"en": {"generated_at": "2026-03-18T14:45:16.477133+00:00", "value": {"mitigation_remediation": ["Upgrade Flowmon ADS to version 12.5.5 or later, or 13.0.3 or later to eliminate the XSS flaw.", "Restrict administrator web access to a secure, trusted environment and disable or filter unsolicited external links.", "Use browser\u2011level XSS protection measures such as Content Security Policy (CSP) or XSS auditor settings.", "Monitor system logs for anomalous configuration changes or suspicious administrative activity.", "Contact Progress support for guidance if a patch is unavailable or if further hardening is required."], "summary": {"action": "Patch", "impact": "Unauthorized In-Session Actions via XSS"}, "threat_synthesis": {"affected_systems": "Progress Software Flowmon ADS versions earlier than 12.5.5 and 13.0.3 are affected. The flaw applies to all installations of these product releases where administrators have access to the web interface.", "description_and_impact": "The vulnerability is a cross\u2011site scripting flaw (CWE\u201179) that allows an administrator who clicks a malicious link to trigger unintended actions within their authenticated web session. Because the attacker can instruct the web application to perform these actions while the user remains logged in, the flaw can lead to unauthorized modifications to configuration or data, potentially compromising confidentiality and integrity. The description explicitly states that the event occurs only when an admin clicks a link, indicating that the impact is executed through the user's browser and the administrator\u2019s privileges.", "risk_and_exploitability": "The CVSS score of 8.6 labels the vulnerability as High severity, and its EPSS score of less than 1% suggests a low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog, indicating no known large\u2011scale exploitation at this time. Exploitation requires an administrator to be authenticated in the web application and to click a crafted link, implying that the attack vector is user\u2011interaction based and the attacker must deliver or entice the user with the malicious URL. Given the high severity but low EPSS, the overall risk is moderate pending user awareness and readiness to apply the available patch."}}}}, "created": "2026-03-13T09:53:12.768927+00:00", "updated": "2026-03-20T15:49:49.830844+00:00", "vendors": ["progress_software", "progress_software$PRODUCT$flowmon_ads"]}