CVE-2025-67750HIGH 8.4EPSS p6.1%

CVE-2025-67750CVE-2025-67750

Description

Lightning Flow Scanner provides a A CLI plugin, VS Code Extension and GitHub Action for analysis and optimization of Salesforce Flows. Versions 6.10.5 and below allow a maliciously crafted flow metadata file to cause arbitrary JavaScript execution during scanning. The APIVersion rule uses new Function() to evaluate expression strings, enabling an attacker to supply a malicious expression within rule configuration or crafted flow metadata. This could compromise developer machines, CI runners, or editor environments. This issue is fixed in version 6.10.6.

Scoring

CVSS 3.18.4 (HIGH)
VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.17% probability of exploitation · percentile 6.1% · 2026-06-18T12:00:27Z
Published2025-12-12
Last modified2026-04-15

Underlying weaknesses· 1

CWE-94

References

  1. https://github.com/Flow-Scanner/lightning-flow-scanner/commit/10f64a5eb193d8a777e453b25e910144e4540795
  2. https://github.com/Flow-Scanner/lightning-flow-scanner/releases/tag/core-v6.10.6
  3. https://github.com/Flow-Scanner/lightning-flow-scanner/security/advisories/GHSA-55jh-84jv-8mx8

1

TypeTargetConfidenceTier
WeaknessImproper Control of Generation of Code ('Code Injection')cwe-940%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-7466
CVE
CVE-2025-57393
CVE
Langflow Code Injection Vulnerability
CVE
CVE-2025-11899
CVE
CVE-2026-41270
CVE
CVE-2025-55346
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.