Orchestrator
This hub aggregates every CVE we track for Orchestrator, a product in the enterprise software space. Use it to gauge the current risk picture and drill into individual advisories.
7
CVEs tracked
0
Critical
1
High
0
In CISA KEV
Severity distribution
MEDIUM5LOW1HIGH1
Monthly trend
0
0
0
0
0
0
0
0
4
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2024-082026-07
Latest CVEs
The 7 most recently published vulnerabilities affecting Orchestrator.
- CVE-2025-46547In Sherpa Orchestrator 141851, the web application lacks protection against CSRF attacks, with resultant effects of an attacker conducting XSS attacks, adding a new user or role, or exploiting a SQ...5.4
- CVE-2025-46546In Sherpa Orchestrator 141851, multiple time-based blind SQL injections can be performed by an authenticated user. This affects api/gui/asset/list, /api/gui/files/export/csv/, /api/gui/files/list, ...3.5
- CVE-2025-46544In Sherpa Orchestrator 141851, a low-privileged user can elevate their privileges by creating new users and roles.6.4
- CVE-2025-46545In Sherpa Orchestrator 141851, the functionality for adding or updating licenses allows for stored XSS attacks by an administrator through the name parameter. The XSS payload can execute when the l...4.4
- CVE-2021-27940resources/public/js/orchestrator.js in openark orchestrator before 3.2.4 allows XSS via the orchestrator-msg parameter.6.1
- CVE-2018-19855UiPath Orchestrator before 2018.3.4 allows CSV Injection, related to the Audit export, Robot log export, and Transaction log export features.5.5
- CVE-2018-17305UiPath Orchestrator through 2018.2.4 allows any authenticated user to change the information of arbitrary users (even administrators) leading to privilege escalation and remote code execution.8.8
Product normalization is registry-driven with AI assist and human review. How it works