Cyber Resilience

CVE-2026-22196

HighPublic PoC

Published: 09 January 2026

Published
09 January 2026
Modified
14 January 2026
KEV Added
Patch
CVSS Score v4 7.7 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0029 20.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-22196 is a high-severity SQL Injection (CWE-89) vulnerability in Gestsup Gestsup. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-22196 is a SQL injection vulnerability (CWE-89) affecting GestSup versions prior to 3.2.60, specifically in the ticket creation functionality. User-controlled input provided during ticket creation is incorporated into SQL queries without sufficient neutralization, enabling an authenticated attacker to manipulate database queries. The vulnerability has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to its potential for significant confidentiality and integrity impacts.

An authenticated attacker with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low complexity (AC:L) and no user interaction required (UI:N). By injecting malicious SQL payloads during ticket creation, the attacker can alter database queries, potentially resulting in unauthorized access to sensitive data or modification of database contents, limited by the privileges of the database account used by the application.

Mitigation involves upgrading to GestSup version 3.2.60 or later, as indicated by the affected version range. The vendor's changelog at https://gestsup.fr/index.php?page=changelog details the fix, and the VulnCheck advisory at https://www.vulncheck.com/advisories/gestsup-sqli-in-ticket-creation provides additional analysis and recommendations for practitioners.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

GestSup versions prior to 3.2.60 contain a SQL injection vulnerability in ticket creation functionality. User-controlled input provided during ticket creation is incorporated into SQL queries without sufficient neutralization, allowing an authenticated attacker to manipulate database queries. Successful exploitation can result…

more

in unauthorized access to or modification of database contents depending on database privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in web-based ticket system directly enables remote exploitation of the application for data access/modification.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22195Same product: Gestsup Gestsup
CVE-2026-22197Same product: Gestsup Gestsup
CVE-2026-22194Same product: Gestsup Gestsup
CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89
CVE-2025-28939Shared CWE-89
CVE-2021-47872Shared CWE-89
CVE-2025-28873Shared CWE-89
CVE-2019-25636Shared CWE-89
CVE-2026-32611Shared CWE-89

Affected Assets

gestsup
gestsup
≤ 3.2.56

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and neutralization of user-controlled inputs during ticket creation to prevent SQL injection manipulation of database queries.

prevent

Mandates identification, reporting, and correction of the SQL injection flaw through timely upgrades to GestSup version 3.2.60 or later.

prevent

Restricts types, amounts, and characteristics of ticket creation inputs to block malicious SQL payloads from being processed.

References