A vulnerability was found in FlowCI flow-core-x up to 1.23.01 and classified as critical. The impacted element is the function Save of the file core/src/main/java/com/flowci/core/config/service/ConfigServiceImpl.java of the component SMTP Host Handler. The manipulation results in server-side request forgery.

This vulnerability was named CVE-2026-4215. The attack may be performed from remote. In addition, an exploit is available.

The vendor was contacted early about this disclosure but did not respond in any way.