CVE-2025-50881

Name of the Vulnerable Software and Affected Versions Use It Flow versions prior to 10.0.0

Description The flow/admin/moniteur.php script is susceptible to Remote Code Execution. The script processes GET requests and retrieves user-supplied input from the action URL parameter. Insufficient validation of this input, combined with its use in the eval() function, allows for arbitrary PHP code execution. The method exists() check only validates the portion of the input before the first parenthesis (. Successful exploitation enables an attacker to execute arbitrary PHP code on the server with the privileges of the web server process.

Recommendations Update Use It Flow to version 10.0.0 or later.