Cyber Resilience

CVE-2026-22789

Medium

Published: 12 January 2026

Published
12 January 2026
Modified
21 January 2026
KEV Added
Patch
CVSS Score v3.1 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
EPSS Score 0.0023 13.5th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-22789 is a medium-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wem-Project Wem. Its CVSS base score is 5.4 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-22789 is a file upload validation bypass vulnerability affecting WebErpMesv2, an open-source Resource Management and Manufacturing Execution System web application for industrial use. In versions prior to 1.19, multiple controllers fail to properly validate uploaded files, enabling authenticated users to upload arbitrary files, including malicious PHP scripts. This flaw leads to remote code execution (RCE) and is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and CWE-616 (Incomplete Identification of Uploaded File Variables). The vulnerability mirrors CVE-2025-52130 in nature but impacts different code locations overlooked in the prior remediation, with a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N).

An attacker with low-privilege authenticated access (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and without requiring user interaction (UI:N). By bypassing file validation in the affected controllers, they can upload and execute PHP scripts, achieving RCE on the server. The unchanged scope (S:U) limits lateral movement, while impacts are confined to low confidentiality and integrity effects (C:L/I:L) with no availability disruption (A:N).

Mitigation is available in WebErpMesv2 version 1.19, which addresses the issue via fixes in the referenced GitHub commit (c9e7f4a85aeb774a0ea4b61ad57a51b941166b69). The GitHub Security Advisory (GHSA-64rv-f829-x6m4) provides further details on the vulnerability and recommends upgrading immediately, along with reviewing access controls for file upload endpoints.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

WebErpMesv2 is a Resource Management and Manufacturing execution system Web for industry. Prior to 1.19, WebErpMesv2 contains a file upload validation bypass vulnerability in multiple controllers that allows authenticated users to upload arbitrary files, including PHP scripts, leading to Remote…

more

Code Execution (RCE). This vulnerability is identical in nature to CVE-2025-52130 but exists in different code locations that were not addressed by the original fix. This vulnerability is fixed in 1.19.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Direct RCE via unauthenticated-style file upload bypass on public-facing web app enables T1190; PHP script upload specifically facilitates web shell deployment (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22788Same product: Wem-Project Wem
CVE-2025-22654Shared CWE-434
CVE-2025-11948Shared CWE-434
CVE-2025-67260Shared CWE-434
CVE-2025-28915Shared CWE-434
CVE-2023-53956Shared CWE-434
CVE-2025-6058Shared CWE-434
CVE-2021-47819Shared CWE-434
CVE-2025-7852Shared CWE-434
CVE-2026-4883Shared CWE-434

Affected Assets

wem-project
wem
1.18

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of file uploads to reject dangerous types (CWE-434), blocking the bypass that enables arbitrary PHP script execution.

prevent

Enforces least privilege on authenticated users so they cannot reach or abuse the vulnerable upload controllers even if validation fails.

preventdetect

Requires malicious-code scanning and blocking of uploaded files before they can be executed, mitigating the RCE path described in the CVE.

References