Cyber Resilience

CVE-2026-22194

HighPublic PoC

Published: 09 January 2026

Published
09 January 2026
Modified
14 January 2026
KEV Added
Patch
CVSS Score v4 8.9 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0021 11.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-22194 is a high-severity CSRF (CWE-352) vulnerability in Gestsup Gestsup. Its CVSS base score is 8.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-22194 is a cross-site request forgery (CSRF) vulnerability, classified under CWE-352, affecting GestSup versions up to and including 3.2.60. The application fails to verify the authenticity of client requests, enabling forged requests to be processed without proper validation. This flaw has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges, and significant impacts on confidentiality, integrity, and availability.

An unauthenticated attacker can exploit this vulnerability by tricking a logged-in user, such as an administrator, into submitting crafted requests from a malicious site or email. The requests execute with the victim's elevated privileges, targeting endpoints like the administrative user creation function to create new privileged accounts. Exploitation requires user interaction but can lead to full compromise of account management capabilities.

Mitigation details are outlined in the official changelog at https://gestsup.fr/index.php?page=changelog and the advisory from VulnCheck at https://www.vulncheck.com/advisories/gestsup-csrf-allows-privileged-actions, which likely include patch information for affected versions. Security practitioners should review these resources for upgrade instructions and implement CSRF tokens or other request validation measures where applicable.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

GestSup versions up to and including 3.2.60 contain a cross-site request forgery (CSRF) vulnerability where the application does not verify the authenticity of client requests. An attacker can induce a logged-in user to submit crafted requests that perform actions with…

more

the victim's privileges. This can be exploited to create privileged accounts by targeting the administrative user creation endpoint.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1136 Create Account Persistence
Adversaries may create an account to maintain access to victim systems.
Why these techniques?

CSRF in public-facing web app directly enables exploitation for initial access (T1190) and creation of privileged accounts (T1136) via forged admin requests.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22196Same product: Gestsup Gestsup
CVE-2026-22195Same product: Gestsup Gestsup
CVE-2026-22197Same product: Gestsup Gestsup
CVE-2025-68434Shared CWE-352
CVE-2018-25200Shared CWE-352
CVE-2024-56901Shared CWE-352
CVE-2025-25907Shared CWE-352
CVE-2025-27910Shared CWE-352
CVE-2025-23467Shared CWE-352
CVE-2018-25170Shared CWE-352

Affected Assets

gestsup
gestsup
≤ 3.2.56

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces session authenticity mechanisms like CSRF tokens to prevent forged requests from tricking logged-in users into performing privileged actions.

prevent

Requires validation of information inputs, such as CSRF tokens, to verify the authenticity of client requests targeting sensitive endpoints like administrative user creation.

prevent

Mandates timely identification, reporting, and correction of flaws like this CSRF vulnerability through patching and updates as outlined in vendor advisories.

References