CVE-2026-22034
Published: 08 January 2026
Summary
CVE-2026-22034 is a critical-severity Failing Open (CWE-636) vulnerability in Jvoisin Snuffleupagus. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely remediation of identified flaws, directly addressing this CVE by mandating upgrade of Snuffleupagus to version 0.13.0 or later where the upload validation logic flaw is fixed.
CM-6 enforces secure configuration settings, mitigating the vulnerability by ensuring the upload validation feature is either disabled or properly configured with the required VLD extension available to CLI SAPI.
CM-7 restricts systems to least functionality, preventing exploitation by prohibiting or disabling the non-essential upload validation feature when VLD dependencies are unmet.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct RCE in public-facing PHP web module via crafted multipart uploads.
NVD Description
Snuffleupagus is a module that raises the cost of attacks against website by killing bug classes and providing a virtual patching system. On deployments of Snuffleupagus prior to version 0.13.0 with the non-default upload validation feature enabled and configured to…
more
use one of the upstream validation scripts based on Vulcan Logic Disassembler (VLD) while the VLD extension is not available to the CLI SAPI, all files from multipart POST requests are evaluated as PHP code. The issue was fixed in version 0.13.0.
Deeper analysisAI
CVE-2026-22034 affects Snuffleupagus, a PHP module designed to raise the cost of attacks against websites by eliminating bug classes and providing virtual patching. The vulnerability occurs in deployments prior to version 0.13.0 where the non-default upload validation feature is enabled and configured to use upstream validation scripts based on the Vulcan Logic Disassembler (VLD), but the VLD extension is unavailable to the CLI SAPI. In such configurations, all files from multipart POST requests are incorrectly evaluated as PHP code, enabling unintended code execution. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-636 (Not Failing to Clear Existence Check After Atomic Operation).
Remote attackers can exploit this vulnerability without authentication or user interaction by sending crafted multipart POST requests containing malicious files, which are then executed as PHP code on the server. This leads to arbitrary remote code execution, potentially allowing full compromise of the affected web server, including data exfiltration, modification, or denial of service.
The vulnerability was addressed in Snuffleupagus version 0.13.0, as detailed in the project's security advisory (GHSA-c4ch-xw5p-2mvc) and the fixing commit (9278dc77bab2a219e770a1b31dd6797bc9070e37). Security practitioners should upgrade to version 0.13.0 or later and review configurations to ensure the upload validation feature either uses available VLD extensions or is disabled if not required. Source code changes in sp_upload_validation.c and the affected validation scripts (upload_validation.php and upload_validation.py in v0.12.0) highlight the specific logic flaw resolved in the patch.
Details
- CWE(s)