VYPR

Processmaker

by ProcessMaker

Source repositories

CVEs (11)

  • CVE-2013-10035HigJul 31, 2025
    risk 0.65cvss epss 0.01

    A code injection vulnerability exists in ProcessMaker Open Source versions 2.x when using the default 'neoclassic' skin. An authenticated user can execute arbitrary PHP code via multiple endpoints, including appFolderAjax.php, casesStartPage_Ajax.php, and…

  • CVE-2025-34097HigJul 10, 2025
    risk 0.63cvss epss 0.01

    An unrestricted file upload vulnerability exists in ProcessMaker versions prior to 3.5.4 due to improper handling of uploaded plugin archives. An attacker with administrative privileges can upload a malicious .tar plugin file containing arbitrary PHP code. Upon installation, the…

  • CVE-2022-38577HigSep 19, 2022
    risk 0.57cvss 8.8epss 0.02

    ProcessMaker before v3.5.4 was discovered to contain insecure permissions in the user profile page. This vulnerability allows attackers to escalate normal users to Administrators.

  • CVE-2020-13526HigDec 10, 2020
    risk 0.57cvss 8.8epss 0.02

    SQL injection vulnerability exists in the handling of sort parameters in ProcessMaker 3.4.11. A specially crafted HTTP request can cause an SQL injection. The reportTables_Ajax and clientSetupAjax pages are vulnerable to SQL injection in the sort parameter.An attacker can make…

  • CVE-2020-13525HigDec 3, 2020
    risk 0.57cvss 8.8epss 0.02

    The sort parameter in the download page /sysworkflow/en/neoclassic/reportTables/reportTables_Ajax is vulnerable to SQL injection in ProcessMaker 3.4.11. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger…

  • CVE-2016-9045HigSep 17, 2018
    risk 0.57cvss 8.8epss 0.02

    A code execution vulnerability exists in ProcessMaker Enterprise Core 3.0.1.7-community. A specially crafted web request can cause unsafe deserialization potentially resulting in PHP code being executed. An attacker can send a crafted web parameter to trigger this vulnerability.

  • CVE-2016-9048HigSep 10, 2018
    risk 0.48cvss 7.4epss 0.01

    Multiple exploitable SQL Injection vulnerabilities exists in ProcessMaker Enterprise Core 3.0.1.7-community. Specially crafted web requests can cause SQL injections. An attacker can send a web request with parameters containing SQL injection attacks to trigger this…

  • CVE-2024-41454MedJan 15, 2025
    risk 0.42cvss 6.5epss 0.00

    An arbitrary file upload vulnerability in the UI login page logo upload function of Process Maker pm4core-docker 4.1.21-RC7 allows attackers to execute arbitrary code via uploading a crafted PHP or HTML file.

  • CVE-2024-25506MedMar 28, 2024
    risk 0.42cvss 6.5epss 0.00

    Cross Site Scripting vulnerability in Process Maker, Inc ProcessMaker before 4.0 allows a remote attacker to run arbitrary code via control of the pm_sys_sys cookie.

  • CVE-2021-47978MedMay 16, 2026
    risk 0.40cvss 6.2epss 0.01

    ProcessMaker 3.5.4 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting improper path traversal validation. Attackers can send requests with directory traversal sequences to access sensitive system files like…

  • CVE-2024-41453MedJan 15, 2025
    risk 0.31cvss 4.8epss 0.00

    A cross-site scripting (XSS) vulnerability in Process Maker pm4core-docker 4.1.21-RC7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter.