CVE-2026-22192
Published: 13 March 2026
Summary
CVE-2026-22192 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Gvectors Wpdiscuz. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces server-side access control decisions that prevent bypass via manipulated client-side localStorage by requiring independent validation of authorizations.
Mandates secure management and protection of authenticators, prohibiting reliance on tamperable browser localStorage for authentication state.
Implements a tamper-proof reference monitor to mediate all access requests, blocking unauthorized privileged function access regardless of client-side manipulation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct authentication bypass in a public-facing web management application (SNMP Web Pro) enables remote exploitation without credentials, matching T1190.
NVD Description
Voltronic Power SNMP Web Pro version 1.1 contains an authentication bypass vulnerability that allows unauthenticated attackers to access privileged management functions by manipulating browser localStorage values. Attackers can modify client-side authentication state to bypass server-side access controls and gain unauthorized…
more
access to protected management functionality without valid credentials.
Deeper analysisAI
CVE-2026-22192, published on 2026-03-13, is an authentication bypass vulnerability (CWE-306) affecting Voltronic Power SNMP Web Pro version 1.1. The flaw enables unauthenticated attackers to access privileged management functions by manipulating browser localStorage values, which modifies the client-side authentication state and circumvents server-side access controls to reach protected management functionality without valid credentials.
Remote unauthenticated attackers can exploit this vulnerability with low complexity, as indicated by its CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L). By altering localStorage in a victim's browser—potentially via cross-site scripting or user interaction—they bypass authentication entirely, achieving unauthorized access to sensitive management interfaces and potentially enabling further compromise depending on the exposed functions.
Advisories including the VulnCheck report at https://www.vulncheck.com/advisories/voltronic-power-snmp-web-pro-authentication-bypass-via-localstorage provide further details on the issue. A public exploit script covering CVE-2026-22192 and related vulnerabilities (CVE-2026-22192-22199) for pre-auth root RCE is available at https://github.com/kmkz/Exploits/blob/master/2026/CVE-2026-22192-22199_Voltronic-Power_Preauth_root_RCE.txt. Security practitioners should consult the vendor site at https://voltronicpower.com/ and related advisory https://www.boffsec-services.com/posts/sicuroweb-cve-2026-22191/ for patch information and mitigation guidance.
Details
- CWE(s)