Medium severity6.3NVD Advisory· Published Apr 12, 2026· Updated Apr 29, 2026
CVE-2026-6125
CVE-2026-6125
Description
A security flaw has been discovered in Dromara warm-flow up to 1.8.4. Impacted is the function SpelHelper.parseExpression of the file /warm-flow/save-json of the component Workflow Definition Handler. The manipulation of the argument listenerPath/skipCondition/permissionFlag results in code injection. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.dromara.warm:warm-flow-plugin-modes-sbMaven | < 1.8.5 | 1.8.5 |
Affected products
1Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-822v-8w6h-5jxpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-6125ghsaADVISORY
- gitee.com/dromara/warm-flow/issues/IHURVQnvdWEB
- vuldb.com/submit/793322nvdWEB
- vuldb.com/vuln/356989nvdWEB
- vuldb.com/vuln/356989/ctinvdWEB
News mentions
0No linked articles in our index yet.