CVE-2026-6125 | Dromara warm-flow up to 1.8.4 Workflow Definition /warm-flow/save-json SpelHelper.parseExpression listenerPath/skipCondition/permissionFlag code injection (IHURVQ)

Inserito da Angelo Barbosa | Apr 11, 2026 | CVE

A vulnerability, which was classified as critical, was found in Dromara warm-flow up to 1.8.4. Impacted is the function SpelHelper.parseExpression of the file /warm-flow/save-json of the component Workflow Definition Handler. The manipulation of the argument listenerPath/skipCondition/permissionFlag results in code injection.

This vulnerability was named CVE-2026-6125. The attack may be performed from remote. In addition, an exploit is available.

CVE-2026-6125 | Dromara warm-flow up to 1.8.4 Workflow Definition /warm-flow/save-json SpelHelper.parseExpression listenerPath/skipCondition/permissionFlag code injection (IHURVQ)

Post correlati

CVE-2024-30202 | GNU Emacs up to 29.2 Org Mode Remote Code Execution

CVE-2024-41624 | Himalaya Xiaoya Nano Smart Speaker 1.6.96 rom_version access control

CVE-2024-22593 | FlyCMS 1.0 add_group_save cross-site request forgery

CVE-2026-23554 | Xen EPT use after free