MidnightBSD

Advisories for nintex

CVE-2015-7299 HIGH

SQL injection vulnerability in Runtime/Runtime/AjaxCall.ashx in K2 blackpearl, smartforms, and K2 for SharePoint 4.6.7 allows remote attackers to execute arbitrary SQL commands via the xml parameter.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
nintex k2_for_sharepoint 4.6.7
nintex k2_blackpearl 4.6.7
nintex k2_smartforms 4.6.7
CVE-2022-38167

The Nintex Workflow plugin 5.2.2.30 for SharePoint allows XSS.

Products Affected

Vendor Product Version
nintex workflow 5.2.2.30
CVE-2025-27924

Nintex Automation 5.6 and 5.7 before 5.8 has a stored XSS issue associated with the "Navigate to a URL" action.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

Products Affected

Vendor Product Version
nintex automation *
CVE-2025-27925

Nintex Automation 5.6 and 5.7 before 5.8 has insecure deserialization of user input.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 8.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.8 6.0
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
nintex automation *
CVE-2025-27926

In Nintex Automation 5.6 and 5.7 before 5.8, the K2 SmartForms Designer folder has configuration files (web.config) containing passwords that are readable by unauthorized users.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4
cve@mitre.org 4.3 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N 2.5 1.4

Products Affected

Vendor Product Version
nintex automation *