CVE-2026-2513 HIGH

CVE-2026-2513: Possibility of unintended actions when an administrator clicks a malicious link in the Progress Flowmon ADS web application

Vendor Progress Software
Product Flowmon ADS
Weakness CWE-79 · XSS
Published March 12, 2026
Last update March 13, 2026
View on NVD All CVEs

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N

What the vulnerability does

01Description

A vulnerability exists in Progress Flowmon ADS versions prior to 12.5.5 and 13.0.3, whereby an administrator who clicks a malicious link provided by an attacker may inadvertently trigger unintended actions within their authenticated web session.

Key dates

02Disclosure timeline

March 12, 2026 CVE published
March 13, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-6370 WordPress Mini Ajax Cart for WooCommerce plugin <= 1.3.4 - Cross Site Scripting (XSS) vulnerability CVE-2025-50186 Chamilo: Stored XSS via Malicious CSV Filename in user_import.php CVE-2023-0743 Cross-site Scripting (XSS) - Generic in answerdev/answer CVE-2024-9117 Mapplic Lite <= 1.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload CVE-2024-37101 WordPress WP Post Author plugin <= 3.6.7 - Cross Site Scripting (XSS) vulnerability