{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6125", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-11T20:19:59.389Z", "datePublished": "2026-04-12T09:30:22.132Z", "dateUpdated": "2026-04-13T17:47:46.421Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-12T09:30:22.132Z"}, "title": "Dromara warm-flow Workflow Definition save-json SpelHelper.parseExpression code injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "Code Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "Dromara", "product": "warm-flow", "versions": [{"version": "1.8.0", "status": "affected"}, {"version": "1.8.1", "status": "affected"}, {"version": "1.8.2", "status": "affected"}, {"version": "1.8.3", "status": "affected"}, {"version": "1.8.4", "status": "affected"}], "modules": ["Workflow Definition Handler"]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in Dromara warm-flow up to 1.8.4. Impacted is the function SpelHelper.parseExpression of the file /warm-flow/save-json of the component Workflow Definition Handler. The manipulation of the argument listenerPath/skipCondition/permissionFlag results in code injection. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-11T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-11T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-11T22:25:09.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "anch0r (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/vuln/356989", "name": "VDB-356989 | Dromara warm-flow Workflow Definition save-json SpelHelper.parseExpression code injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/356989/cti", "name": "VDB-356989 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/793322", "name": "Submit #793322 | Dromara warm-flow <= 1.8.4 Code Injection", "tags": ["third-party-advisory"]}, {"url": "https://gitee.com/dromara/warm-flow/issues/IHURVQ", "tags": ["exploit", "issue-tracking"]}, {"url": "https://gitee.com/dromara/warm-flow/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T17:47:26.952195Z", "id": "CVE-2026-6125", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T17:47:46.421Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Dromara warm-flow Workflow Definition save-json SpelHelper.parseExpression code injection", "credits": [{"lang": "en", "type": "reporter", "value": "anch0r (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "Dromara", "modules": ["Workflow Definition Handler"], "product": "warm-flow", "versions": [{"status": "affected", "version": "1.8.0"}, {"status": "affected", "version": "1.8.1"}, {"status": "affected", "version": "1.8.2"}, {"status": "affected", "version": "1.8.3"}, {"status": "affected", "version": "1.8.4"}]}], "timeline": [{"lang": "en", "time": "2026-04-11T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-11T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-11T22:25:09.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/356989", "name": "VDB-356989 | Dromara warm-flow Workflow Definition save-json SpelHelper.parseExpression code injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/356989/cti", "name": "VDB-356989 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/793322", "name": "Submit #793322 | Dromara warm-flow <= 1.8.4 Code Injection", "tags": ["third-party-advisory"]}, {"url": "https://gitee.com/dromara/warm-flow/issues/IHURVQ", "tags": ["exploit", "issue-tracking"]}, {"url": "https://gitee.com/dromara/warm-flow/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in Dromara warm-flow up to 1.8.4. Impacted is the function SpelHelper.parseExpression of the file /warm-flow/save-json of the component Workflow Definition Handler. The manipulation of the argument listenerPath/skipCondition/permissionFlag results in code injection. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Code Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-12T09:30:22.132Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6125", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T17:47:26.952195Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-13T17:47:33.256Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-6125", "state": "PUBLISHED", "dateUpdated": "2026-04-12T09:30:22.132Z", "dateReserved": "2026-04-11T20:19:59.389Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-12T09:30:22.132Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in Dromara warm-flow up to 1.8.4. Impacted is the function SpelHelper.parseExpression of the file /warm-flow/save-json of the component Workflow Definition Handler. The manipulation of the argument listenerPath/skipCondition/permissionFlag results in code injection. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks."}], "id": "CVE-2026-6125", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-12T10:16:01.277", "references": [{"source": "cna@vuldb.com", "url": "https://gitee.com/dromara/warm-flow/"}, {"source": "cna@vuldb.com", "url": "https://gitee.com/dromara/warm-flow/issues/IHURVQ"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/793322"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/356989"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/356989/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-94"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.8.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.8.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.8.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.8.3"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.8.4"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "warm-flow", "source": "cna", "vendor": "Dromara"}, "product": "warm-flow", "vendor": "dromara"}], "analysis": {"en": {"generated_at": "2026-04-12T11:20:47.284201+00:00", "value": {"mitigation_remediation": ["Upgrade Dromara warm-flow to version 1.8.5 or later.", "If upgrading is not immediately possible, restrict external access to the /warm-flow/save-json endpoint and ensure strict authentication and authorization controls are in place.", "Validate or sanitize all inputs to listenerPath, skipCondition, and permissionFlag before passing them to SpelHelper.parseExpression.", "Monitor application logs for anomalous code execution patterns and enforce an incident response plan if suspicious activity is detected."], "summary": {"action": "Immediate Patch", "impact": "Code Injection"}, "threat_synthesis": {"affected_systems": "The affected product is warm-flow from Dromara. Any installation using version 1.8.4 or earlier is vulnerable.", "description_and_impact": "A flaw in Dromara warm-flow up to version 1.8.4 allows attackers to inject code through the SpelHelper.parseExpression function used in the Workflow Definition Handler. By manipulating the listenerPath, skipCondition, or permissionFlag parameters, an attacker can execute arbitrary code. The vulnerability is exploitable remotely, and the attack code has already been released to the public.", "risk_and_exploitability": "The CVSS score is 5.3, indicating a moderate risk level. EPSS data is not available, but the vulnerability is not listed in the CISA KEV catalog. Since the flaw is exploitable from remote sources and public exploit code exists, the likelihood of exploitation is significant. Organizations should treat this as a high priority when deploying or maintaining warm-flow on their systems."}}}}, "created": "2026-04-13T12:41:27.492014+00:00", "updated": "2026-04-13T12:56:06.593436+00:00", "vendors": ["dromara", "dromara$PRODUCT$warm-flow"]}