Cyber Resilience

CVE-2026-22905

High

Published: 09 February 2026

Published
09 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0010 27.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22905 is a high-severity Path Traversal (CWE-22) vulnerability in Certvde (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-22905 is a path traversal vulnerability stemming from insufficient URI validation, classified under CWE-22. It affects a web-exposed component utilizing CGI endpoints, where attackers can employ traversal sequences such as /js/../cgi-bin/post.cgi to circumvent authentication controls. Published on 2026-02-09, the issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting its potential for high confidentiality impact without requiring privileges or user interaction.

An unauthenticated attacker with network access can remotely exploit this flaw to bypass authentication mechanisms. Successful exploitation grants unauthorized access to protected CGI endpoints, enabling actions such as downloading sensitive configurations.

Mitigation guidance is available in the referenced advisory at https://certvde.com/de/advisories/VDE-2026-004.

EU & UK References

Vulnerability details

An unauthenticated remote attacker can bypass authentication by exploiting insufficient URI validation and using path traversal sequences (e.g., /js/../cgi-bin/post.cgi), gaining unauthorized access to protected CGI endpoints and configuration downloads.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Path traversal in public-facing CGI/web component enables remote unauthenticated exploitation of the app (T1190) and direct retrieval of local sensitive configuration files (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-12824Shared CWE-22
CVE-2026-25965Shared CWE-22
CVE-2025-30567Shared CWE-22
CVE-2025-27098Shared CWE-22
CVE-2024-55457Shared CWE-22
CVE-2026-35485Shared CWE-22
CVE-2024-54909Shared CWE-22
CVE-2026-3405Shared CWE-22
CVE-2025-41368Shared CWE-22
CVE-2026-23850Shared CWE-22

Affected Assets

Certvde
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires validation of URI inputs to directly mitigate path traversal sequences exploiting insufficient URI validation for authentication bypass.

prevent

SI-9 enforces input restrictions that block invalid or malicious URI paths from accessing protected CGI endpoints.

prevent

AC-3 mandates enforcement of access authorizations, preventing unauthorized logical access to sensitive configurations via traversed paths.

References