What is CVE-2013-10035?

CVE-2013-10035 is a vulnerability in Processmaker, Inc. Processmaker Open Source, classified under Code Injection. Published 2025-07-31.

Is CVE-2013-10035 known to be exploited?

2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

RCE in Processmaker, Inc. Processmaker Open Source

CVE-2013-10035

A code injection vulnerability exists in ProcessMaker Open Source versions 2.x when using the default 'neoclassic' skin. An authenticated user can execute arbitrary PHP code via multiple endpoints, including appFolderAjax.php, casesStartPa…

Vulnerability class: RCE (Remote Code Execution)

EPSS: 0.623 (98.4th percentile) — read the EPSS interpretation.

Affected products

Processmaker, Inc. Processmaker Open Source — versions 2.0

Weakness classification (CWE)

CWE-94 — Code Injection

Public proof-of-concept exploits

References

raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/m… (exploit)
web.archive.org/web/20150419043936/https://bugs.processmaker.com/view.php (issue-tracking, patch)
www.exploit-db.com/exploits/29325 (exploit)
www.fortiguard.com/encyclopedia/ips/37390 (third-party-advisory)
www.vulncheck.com/advisories/processmaker-open-source-neoclassic-skin-php-code-… (third-party-advisory)

Frequently asked questions

What is CVE-2013-10035?: CVE-2013-10035 is a vulnerability in Processmaker, Inc. Processmaker Open Source, classified under Code Injection. Published 2025-07-31.
Is CVE-2013-10035 known to be exploited?: 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.