Cyber Resilience

CVE-2026-22192

HighPublic PoC

Published: 13 March 2026

Published
13 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v4 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0027 18.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-22192 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Gvectors Wpdiscuz. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-22192, published on 2026-03-13, is an authentication bypass vulnerability (CWE-306) affecting Voltronic Power SNMP Web Pro version 1.1. The flaw enables unauthenticated attackers to access privileged management functions by manipulating browser localStorage values, which modifies the client-side authentication state and circumvents server-side access controls to reach protected management functionality without valid credentials.

Remote unauthenticated attackers can exploit this vulnerability with low complexity, as indicated by its CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L). By altering localStorage in a victim's browser—potentially via cross-site scripting or user interaction—they bypass authentication entirely, achieving unauthorized access to sensitive management interfaces and potentially enabling further compromise depending on the exposed functions.

Advisories including the VulnCheck report at https://www.vulncheck.com/advisories/voltronic-power-snmp-web-pro-authentication-bypass-via-localstorage provide further details on the issue. A public exploit script covering CVE-2026-22192 and related vulnerabilities (CVE-2026-22192-22199) for pre-auth root RCE is available at https://github.com/kmkz/Exploits/blob/master/2026/CVE-2026-22192-22199_Voltronic-Power_Preauth_root_RCE.txt. Security practitioners should consult the vendor site at https://voltronicpower.com/ and related advisory https://www.boffsec-services.com/posts/sicuroweb-cve-2026-22191/ for patch information and mitigation guidance.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Voltronic Power SNMP Web Pro version 1.1 contains an authentication bypass vulnerability that allows unauthenticated attackers to access privileged management functions by manipulating browser localStorage values. Attackers can modify client-side authentication state to bypass server-side access controls and gain unauthorized…

more

access to protected management functionality without valid credentials.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct authentication bypass in a public-facing web management application (SNMP Web Pro) enables remote exploitation without credentials, matching T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2023-46309Same product: Gvectors Wpdiscuz
CVE-2023-45760Same product: Gvectors Wpdiscuz
CVE-2026-22202Same product: Gvectors Wpdiscuz
CVE-2026-22193Same product: Gvectors Wpdiscuz
CVE-2026-22199Same product: Gvectors Wpdiscuz
CVE-2026-22182Same product: Gvectors Wpdiscuz
CVE-2026-4810Shared CWE-306
CVE-2025-53847Shared CWE-306
CVE-2025-61757Shared CWE-306
CVE-2025-68715Shared CWE-306

Affected Assets

gvectors
wpdiscuz
≤ 7.6.47

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces server-side access control decisions that prevent bypass via manipulated client-side localStorage by requiring independent validation of authorizations.

prevent

Mandates secure management and protection of authenticators, prohibiting reliance on tamperable browser localStorage for authentication state.

prevent

Implements a tamper-proof reference monitor to mediate all access requests, blocking unauthorized privileged function access regardless of client-side manipulation.

References