CVE-2026-22034

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-22034

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22034.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-22034

Aliases

GHSA-c4ch-xw5p-2mvc

Downstream

DEBIAN-CVE-2026-22034

Published

2026-01-08T14:49:05.020Z

Modified

2026-03-13T07:57:20.696766Z

Severity

9.2 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Snuffleupagus vulnerable to RCE on instances with upload validation enabled but without the VLD package

Details

Snuffleupagus is a module that raises the cost of attacks against website by killing bug classes and providing a virtual patching system. On deployments of Snuffleupagus prior to version 0.13.0 with the non-default upload validation feature enabled and configured to use one of the upstream validation scripts based on Vulcan Logic Disassembler (VLD) while the VLD extension is not available to the CLI SAPI, all files from multipart POST requests are evaluated as PHP code. The issue was fixed in version 0.13.0.

Database specific

{
    "cwe_ids": [
        "CWE-636"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/22xxx/CVE-2026-22034.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/jvoisin/snuffleupagus

Affected ranges

Type: GIT
Repo: https://github.com/jvoisin/snuffleupagus
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

5f944e2b1085bdd07b75f7c13bec2b2ad49ea09e

Affected versions

v0.*

v0.1.0

v0.10.0

v0.11.0

v0.12.0

v0.2.0

v0.2.1

v0.2.2

v0.3.1

v0.4.0

v0.4.1

v0.5.0

v0.5.1

v0.6.0

v0.7.0

v0.7.1

v0.8.0

v0.8.1

v0.8.2

v0.8.3

v0.9.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22034.json"