CVE-2026-22194
Published: 09 January 2026
Summary
CVE-2026-22194 is a high-severity CSRF (CWE-352) vulnerability in Gestsup Gestsup. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 1.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly enforces session authenticity mechanisms like CSRF tokens to prevent forged requests from tricking logged-in users into performing privileged actions.
Requires validation of information inputs, such as CSRF tokens, to verify the authenticity of client requests targeting sensitive endpoints like administrative user creation.
Mandates timely identification, reporting, and correction of flaws like this CSRF vulnerability through patching and updates as outlined in vendor advisories.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF in public-facing web app directly enables exploitation for initial access (T1190) and creation of privileged accounts (T1136) via forged admin requests.
NVD Description
GestSup versions up to and including 3.2.60 contain a cross-site request forgery (CSRF) vulnerability where the application does not verify the authenticity of client requests. An attacker can induce a logged-in user to submit crafted requests that perform actions with…
more
the victim's privileges. This can be exploited to create privileged accounts by targeting the administrative user creation endpoint.
Deeper analysisAI
CVE-2026-22194 is a cross-site request forgery (CSRF) vulnerability, classified under CWE-352, affecting GestSup versions up to and including 3.2.60. The application fails to verify the authenticity of client requests, enabling forged requests to be processed without proper validation. This flaw has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges, and significant impacts on confidentiality, integrity, and availability.
An unauthenticated attacker can exploit this vulnerability by tricking a logged-in user, such as an administrator, into submitting crafted requests from a malicious site or email. The requests execute with the victim's elevated privileges, targeting endpoints like the administrative user creation function to create new privileged accounts. Exploitation requires user interaction but can lead to full compromise of account management capabilities.
Mitigation details are outlined in the official changelog at https://gestsup.fr/index.php?page=changelog and the advisory from VulnCheck at https://www.vulncheck.com/advisories/gestsup-csrf-allows-privileged-actions, which likely include patch information for affected versions. Security practitioners should review these resources for upgrade instructions and implement CSRF tokens or other request validation measures where applicable.
Details
- CWE(s)