MEDIUM SeverityCVSS 4.06.9CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CVE-2021-47978

Last updated May 16, 2026 · Published May 16, 2026

Description

ProcessMaker 3.5.4 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting improper path traversal validation. Attackers can send requests with directory traversal sequences to access sensitive system files like /etc/passwd without authentication.

Affected products

1 listed

Processmaker:ProcessMaker

Mappings

CWE

CWE-98

CAPEC

None listed.

Research

Command injection: how it works and how to prevent itCommand injection happens when untrusted input reaches a shell or process spawn. Avoid the shell, pass…
Template InjectionExplains how untrusted input can be executed by template engines on server or client. Covers safe templating…
Path traversal: how to detect and prevent itPath traversal lets attackers read or write files outside intended directories. Normalise paths, resolve them…

Training

Injection TodaySQL, NoSQL, ORM, and LLM injection - what's changed and what hasn't.
Secure File HandlingUploads, storage, and serving files without opening the door to attackers.

CVE-2021-47978

Description

Affected products

Mappings

Related