Cyber Resilience

CVE-2026-22322

High

Published: 18 March 2026

Published
18 March 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0003 10.5th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22322 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Certvde (inferred from references). Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-8 (Identification and Authentication (Non-organizational Users)) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-22322 is a stored cross-site scripting (XSS) vulnerability, associated with CWE-79, in the Link Aggregation configuration interface. It enables an unauthenticated remote attacker to inject malicious HTML/JavaScript code into a trunk entry. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

An unauthenticated remote attacker can exploit this by creating a trunk entry with malicious code. When an authenticated user views the affected page, the injected script executes in the victim's browser context, potentially allowing unauthorized actions such as interface manipulation. However, the session cookie is protected by the httpOnly flag, preventing session takeover.

For details on mitigation, patches, or workarounds, refer to the advisory at https://certvde.com/de/advisories/VDE-2025-104.

EU & UK References

Vulnerability details

A stored cross‑site scripting (XSS) vulnerability in the Link Aggregation configuration interface allows an unauthenticated remote attacker to create a trunk entry containing malicious HTML/JavaScript code. When the affected page is viewed, the injected script executes in the context of…

more

the victim’s browser, enabling unauthorized actions such as interface manipulation. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

Stored XSS in public-facing web config interface enables exploitation of the application (T1190) and arbitrary JavaScript execution in victim browser context (T1059.007) for actions like interface manipulation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3231Shared CWE-79
CVE-2025-23481Shared CWE-79
CVE-2025-69302Shared CWE-79
CVE-2025-23734Shared CWE-79
CVE-2025-23571Shared CWE-79
CVE-2025-65110Shared CWE-79
CVE-2026-24948Shared CWE-79
CVE-2025-27352Shared CWE-79
CVE-2025-30349Shared CWE-79
CVE-2026-3876Shared CWE-79

Affected Assets

Certvde
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates inputs to the Link Aggregation configuration interface to prevent unauthenticated attackers from injecting malicious HTML/JavaScript code into trunk entries.

prevent

Filters and encodes outputs when rendering trunk entries to block execution of any injected scripts in the context of the victim's browser.

prevent

Enforces identification and authentication for non-organizational users accessing the configuration interface, blocking unauthenticated remote attackers from creating malicious trunk entries.

References