CVE-2026-22789
Published: 12 January 2026
Summary
CVE-2026-22789 is a medium-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wem-Project Wem. Its CVSS base score is 5.4 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-22789 is a file upload validation bypass vulnerability affecting WebErpMesv2, an open-source Resource Management and Manufacturing Execution System web application for industrial use. In versions prior to 1.19, multiple controllers fail to properly validate uploaded files, enabling authenticated users to upload arbitrary files, including malicious PHP scripts. This flaw leads to remote code execution (RCE) and is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) and CWE-616 (Incomplete Identification of Uploaded File Variables). The vulnerability mirrors CVE-2025-52130 in nature but impacts different code locations overlooked in the prior remediation, with a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N).
An attacker with low-privilege authenticated access (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and without requiring user interaction (UI:N). By bypassing file validation in the affected controllers, they can upload and execute PHP scripts, achieving RCE on the server. The unchanged scope (S:U) limits lateral movement, while impacts are confined to low confidentiality and integrity effects (C:L/I:L) with no availability disruption (A:N).
Mitigation is available in WebErpMesv2 version 1.19, which addresses the issue via fixes in the referenced GitHub commit (c9e7f4a85aeb774a0ea4b61ad57a51b941166b69). The GitHub Security Advisory (GHSA-64rv-f829-x6m4) provides further details on the vulnerability and recommends upgrading immediately, along with reviewing access controls for file upload endpoints.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1998
Vulnerability details
WebErpMesv2 is a Resource Management and Manufacturing execution system Web for industry. Prior to 1.19, WebErpMesv2 contains a file upload validation bypass vulnerability in multiple controllers that allows authenticated users to upload arbitrary files, including PHP scripts, leading to Remote…
more
Code Execution (RCE). This vulnerability is identical in nature to CVE-2025-52130 but exists in different code locations that were not addressed by the original fix. This vulnerability is fixed in 1.19.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct RCE via unauthenticated-style file upload bypass on public-facing web app enables T1190; PHP script upload specifically facilitates web shell deployment (T1505.003).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of file uploads to reject dangerous types (CWE-434), blocking the bypass that enables arbitrary PHP script execution.
Enforces least privilege on authenticated users so they cannot reach or abuse the vulnerable upload controllers even if validation fails.
Requires malicious-code scanning and blocking of uploaded files before they can be executed, mitigating the RCE path described in the CVE.