216.73.217.64

CVE-2026-42555

· Published 14/05/2026 17:16 · Modified 14/05/2026 18:13

Labels: CVE-2026-42555 2026-05-14CVE-2026-42555CWE-94[email protected]

Essential information

Published
14/05/2026 17:16
Modified
14/05/2026 18:13
Author
Creator
CVSS
9.1 CRITICAL (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVSS metrics

Description

Valtimo is an open-source business process automation platform. com.ritense.valtimo:document from 12.0.0 to before 12.32.0, com.ritense.valtimo:case from 13.0.0 to before 13.23.0, and com.ritense.valtimo:contract from 13.4.0 to before 13.23.0 evaluate Spring Expression Language (SpEL) expressions from user-supplied input using StandardEvaluationContext, which provides unrestricted access to Java types and methods. An authenticated user with the ADMIN role can achieve Remote Code Execution and credential exfiltration. This vulnerability is fixed in com.ritense.valtimo:document 2.32.0, com.ritense.valtimo:case 13.23.0, and com.ritense.valtimo:contract 13.23.0.

NVD status

Status
Deferred — When a CVE is given this status the NVD does not plan analyze or re-analyze this CVE due to resource or other concerns.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
ritense / valtimo cpe:2.3:a:ritense:valtimo:12.0.0-12.31.9:*:*:*:*:*:*:*
ritense / valtimo cpe:2.3:a:ritense:valtimo:13.0.0-13.22.9:*:*:*:*:*:*:*
ritense / valtimo cpe:2.3:a:ritense:valtimo:13.4.0-13.22.9:*:*:*:*:*:*:*

References