Aggregates CVE and security vulnerability intelligence across all sherparpa-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk sql injection, vendor risk cross-site scripting, and vendor risk csrf and related problems; some flaws may lead to vendor impact session compromise and vendor impact data exposure.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2025-46547 | In Sherpa Orchestrator 141851, the web application lacks protection against CSRF attacks, with resultant effects of an attacker conducting XSS attacks, adding a new user or role, or exploiting a SQL injection issue. | [email protected] | 5.4 | 0.14% | 2025-04-24 | 2026-06-17 |
| CVE-2025-46546 | In Sherpa Orchestrator 141851, multiple time-based blind SQL injections can be performed by an authenticated user. This affects api/gui/asset/list, /api/gui/files/export/csv/, /api/gui/files/list, /api/gui/process/export/csv, /api/gui/process/export/xlsx, /api/gui/process/listAll, /api/gui/processVersion/export/csv/, /api/gui/processVersion/export/xlsx/, /api/gui/processVersion/list/, /api/gui/robot/list/, /api/gui/task/export/csv/, /api/gui/task/export/xlsx/, and /api/gui/task/list/. | [email protected] | 3.5 | 0.33% | 2025-04-24 | 2026-06-17 |
| CVE-2025-46545 | In Sherpa Orchestrator 141851, the functionality for adding or updating licenses allows for stored XSS attacks by an administrator through the name parameter. The XSS payload can execute when the license expires. | [email protected] | 4.4 | 0.23% | 2025-04-24 | 2026-06-17 |
| CVE-2025-46544 | In Sherpa Orchestrator 141851, a low-privileged user can elevate their privileges by creating new users and roles. | [email protected] | 6.4 | 0.23% | 2025-04-24 | 2026-06-17 |