| Title | https://gitee.com/lwj/flow flowable 1.0 Arbitrary File Upload |
|---|
| Description | Arbitrary File Upload in flowable v1.0 via /front/flow/uploadFile/ Due to Insecure Extension and Content-Type Validation,Vulnerability file: \flow-master\flow-front-rest\src\main\java\com\dragon\flow\web\resource\flow\FormResource.javaļ¼Attackers may use HTML or SVG file uploads to achieve stored XSS, further stealing administrator sessions or laterally penetrating process systems. This vulnerability has exposed a significant oversight by the development team in the design of file upload security |
|---|
| Source | ⚠️ https://gitee.com/lwj/flow/issues/IDIQSE |
|---|
| User | MaoQiu (UID 94327) |
|---|
| Submission | 01/09/2026 08:35 (3 months ago) |
|---|
| Moderation | 01/17/2026 19:20 (8 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 341718 [lwj flow up to a3d2fe8133db9d3b50fda4f66f68634640344641 SVG File FormResource.java uploadFile unrestricted upload] |
|---|
| Points | 20 |
|---|