CVE-2026-2737 PUBLISHED

Possibility of unintended actions when an administrator clicks a malicious link in the Progress Flowmon web application

Assigner: ProgressSoftware
Reserved: 19.02.2026 Published: 02.04.2026 Updated: 02.04.2026

A vulnerability exists in Progress Flowmon versions prior to 12.5.8 and 13.0.6, whereby an administrator who clicks a malicious link provided by an attacker may inadvertently trigger unintended actions within their authenticated web session.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N
CVSS Score: 8.5

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	Low
Attack Complexity	Low	Integrity	High	Integrity	Low
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	Low
User Interaction	Active

CVSS 4.0

Product Status

Vendor	Progress Software
Product	Flowmon
Versions	Default: affected Version Flowmon 12 versions prior to 12.5.8 is affected Version Flowmon 13 versions prior to 13.0.6 is affected

References

https://community.progress.com/s/article/CVE-2026-2737-Progress-Flowmon

Problem Types

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE

Impacts

CAPEC-63 Cross-Site Scripting (XSS)