CVE-2026-22789
Published: 12 January 2026
Summary
CVE-2026-22789 is a medium-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wem-Project Wem. Its CVSS base score is 5.4 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.
Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.
Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.
Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct RCE via unauthenticated-style file upload bypass on public-facing web app enables T1190; PHP script upload specifically facilitates web shell deployment (T1505.003).
NVD Description
WebErpMesv2 is a Resource Management and Manufacturing execution system Web for industry. Prior to 1.19, WebErpMesv2 contains a file upload validation bypass vulnerability in multiple controllers that allows authenticated users to upload arbitrary files, including PHP scripts, leading to Remote…
more
Code Execution (RCE). This vulnerability is identical in nature to CVE-2025-52130 but exists in different code locations that were not addressed by the original fix. This vulnerability is fixed in 1.19.
Deeper analysisAI
CVE-2026-22789 is a file upload validation bypass vulnerability affecting WebErpMesv2, an open-source Resource Management and Manufacturing Execution System web application for industrial use. In versions prior to 1.19, multiple controllers fail to properly validate uploaded files, enabling authenticated users to upload arbitrary files, including malicious PHP scripts. This flaw leads to remote code execution (RCE) and is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and CWE-616 (Incomplete Identification of Uploaded File Variables). The vulnerability mirrors CVE-2025-52130 in nature but impacts different code locations overlooked in the prior remediation, with a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N).
An attacker with low-privilege authenticated access (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and without requiring user interaction (UI:N). By bypassing file validation in the affected controllers, they can upload and execute PHP scripts, achieving RCE on the server. The unchanged scope (S:U) limits lateral movement, while impacts are confined to low confidentiality and integrity effects (C:L/I:L) with no availability disruption (A:N).
Mitigation is available in WebErpMesv2 version 1.19, which addresses the issue via fixes in the referenced GitHub commit (c9e7f4a85aeb774a0ea4b61ad57a51b941166b69). The GitHub Security Advisory (GHSA-64rv-f829-x6m4) provides further details on the vulnerability and recommends upgrading immediately, along with reviewing access controls for file upload endpoints.
Details
- CWE(s)