CVE-2026-22905
Published: 09 February 2026
Summary
CVE-2026-22905 is a high-severity Path Traversal (CWE-22) vulnerability in Certvde (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-22905 is a path traversal vulnerability stemming from insufficient URI validation, classified under CWE-22. It affects a web-exposed component utilizing CGI endpoints, where attackers can employ traversal sequences such as /js/../cgi-bin/post.cgi to circumvent authentication controls. Published on 2026-02-09, the issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting its potential for high confidentiality impact without requiring privileges or user interaction.
An unauthenticated attacker with network access can remotely exploit this flaw to bypass authentication mechanisms. Successful exploitation grants unauthorized access to protected CGI endpoints, enabling actions such as downloading sensitive configurations.
Mitigation guidance is available in the referenced advisory at https://certvde.com/de/advisories/VDE-2026-004.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-6927
Vulnerability details
An unauthenticated remote attacker can bypass authentication by exploiting insufficient URI validation and using path traversal sequences (e.g., /js/../cgi-bin/post.cgi), gaining unauthorized access to protected CGI endpoints and configuration downloads.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing CGI/web component enables remote unauthenticated exploitation of the app (T1190) and direct retrieval of local sensitive configuration files (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 requires validation of URI inputs to directly mitigate path traversal sequences exploiting insufficient URI validation for authentication bypass.
SI-9 enforces input restrictions that block invalid or malicious URI paths from accessing protected CGI endpoints.
AC-3 mandates enforcement of access authorizations, preventing unauthorized logical access to sensitive configurations via traversed paths.