{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-20T16:22:34.498","vulnerabilities":[{"cve":{"id":"CVE-2025-58059","sourceIdentifier":"security-advisories@github.com","published":"2025-08-28T18:15:33.850","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Valtimo is a platform for Business Process Automation. In versions before 12.16.0.RELEASE, and from 13.0.0.RELEASE to before 13.1.2.RELEASE, any admin that can create or modify and execute process-definitions could gain access to sensitive data or resources. This includes but is not limited to: running executables on the application host, inspecting and extracting data from the host environment or application properties, spring beans (application context, database pooling). The following conditions have to be met in order to perform this attack: the user must be logged in, have the admin role, and must have some knowledge about running scripts via a the Camunda/Operator engine. Version 12.16.0 and 13.1.2 have been patched. It is strongly advised to upgrade. If no scripting is needed in any of the processes, it could be possible to disable it altogether via the ProcessEngineConfiguration. However, this workaround could lead to unexpected side-effects."},{"lang":"es","value":"Valtimo es una plataforma para la Automatización de Procesos de Negocio. En versiones anteriores a la 12.16.0.RELEASE, y desde la 13.0.0.RELEASE hasta la 13.1.2.RELEASE, cualquier administrador que pueda crear o modificar y ejecutar definiciones de procesos podría obtener acceso a datos o recursos sensibles. Esto incluye, entre otros: ejecutar archivos ejecutables en el host de la aplicación, inspeccionar y extraer datos del entorno del host o de las propiedades de la aplicación, beans de Spring (contexto de la aplicación, pooling de la base de datos). Las siguientes condiciones deben cumplirse para realizar este ataque: el usuario debe haber iniciado sesión, tener el rol de administrador, y debe tener algún conocimiento sobre la ejecución de scripts a través del motor Camunda/Operator. La versión 12.16.0 y la 13.1.2 han sido parcheadas. Se recomienda encarecidamente actualizar. Si no se necesita scripting en ninguno de los procesos, podría ser posible deshabilitarlo por completo a través de la ProcessEngineConfiguration. Sin embargo, esta solución alternativa podría provocar efectos secundarios inesperados."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.3,"impactScore":6.0}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-78"},{"lang":"en","value":"CWE-200"}]}],"references":[{"url":"https://github.com/valtimo-platform/valtimo-backend-libraries/commit/45eb60b0b2df5964fb9917295d0dceb1fff8dd85","source":"security-advisories@github.com"},{"url":"https://github.com/valtimo-platform/valtimo-backend-libraries/security/advisories/GHSA-w48j-pp7j-fj55","source":"security-advisories@github.com"}]}}]}