Flow

This hub aggregates every CVE we track for Flow, a product in the web cms plugins space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Flow.

• CVE-2026-22683Windmill < 1.615.0 Operator Role Missing Authorization Checks RCE8.8Apr 7, 2026
• CVE-2026-2742Unauthorized session creation via reserved framework path access5.3Mar 10, 2026
• CVE-2026-2741Zip Slip Path Traversal on Node Unpack6.8Mar 10, 2026
• CVE-2026-1126lwj flow SVG File FormResource.java uploadFile unrestricted upload6.3Jan 18, 2026
• CVE-2025-11655Total.js Flow SVG File unrestricted upload4.7Oct 13, 2025
• CVE-2025-20972Improper verification of intent by broadcast receiver in Samsung Flow prior to version 4.9.17.6 allows local attackers to modify Samsung Flow configuration.6.2May 7, 2025
• CVE-2025-20971Improper input validation in Samsung Flow prior to version 4.9.17.6 allows local attackers to access data within Samsung Flow.5.5May 7, 2025
• CVE-2024-49407Improper access control in Samsung Flow prior to version 4.9.15.7 allows physical attackers to access data across multiple user profiles.4.6Nov 6, 2024
• CVE-2024-34600Improper verification of intent by broadcast receiver vulnerability in Samsung Flow prior to version 4.9.13.0 allows local attackers to copy image files to external storage.4.4Jul 2, 2024
• CVE-2023-30094A stored cross-site scripting (XSS) vulnerability in TotalJS Flow v10 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the platform name field in the se...5.4May 4, 2023
• CVE-2023-21444Improper cryptographic implementation in Samsung Flow for PC 4.9.14.0 allows adjacent attackers to decrypt encrypted messages or inject commands.7.5Feb 9, 2023
• CVE-2023-21443Improper cryptographic implementation in Samsung Flow for Android prior to version 4.9.04 allows adjacent attackers to decrypt encrypted messages or inject commands.7.5Feb 9, 2023
• CVE-2021-31412Possible route enumeration in production mode via RouteNotFoundError view in Vaadin 10, 11-14, and 15-195.3Jun 24, 2021
• CVE-2021-31411Insecure temporary directory usage in frontend build functionality of Vaadin 14 and 15-196.3May 5, 2021
• CVE-2021-31408Server session is not invalidated when logout() helper method of Authentication module is used in Vaadin 18-196.3Apr 23, 2021