GHSA-8gqp-hr9g-pg62

Suggest an improvement
Source
https://github.com/advisories/GHSA-8gqp-hr9g-pg62
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-8gqp-hr9g-pg62/GHSA-8gqp-hr9g-pg62.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-8gqp-hr9g-pg62
Aliases
  • CVE-2025-26074
Published
2025-06-30T18:31:50Z
Modified
2025-06-30T22:44:40.743330Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Conductor vulnerable to OS command injection through unrestricted access to Java classes
Details

Orkes Conductor v3.21.11 allows remote attackers to execute arbitrary OS commands through unrestricted access to Java classes.

Database specific 
{
    "github_reviewed_at": "2025-06-30T22:16:54Z",
    "cwe_ids": [
        "CWE-78"
    ],
    "nvd_published_at": "2025-06-30T17:15:31Z",
    "severity": "CRITICAL",
    "github_reviewed": true
}
References

Affected packages

Maven / org.conductoross:conductor-core

Package

Name
org.conductoross:conductor-core
View open source insights on deps.dev
Purl
pkg:maven/org.conductoross/conductor-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.21.13

Affected versions

3.*

3.16.0
3.17.0
3.18.0
3.19.0
3.20.0
3.21.0
3.21.1
3.21.2
3.21.3
3.21.4
3.21.5
3.21.6
3.21.7
3.21.8
3.21.9
3.21.10
3.21.11
3.21.12