Cyber Resilience

CVE-2026-9222

Critical

Published: 26 June 2026

Published
26 June 2026
Modified
26 June 2026
KEV Added
Patch
CVSS Score v4 9.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0024 15.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-9222 is a critical-severity Use of Password Hash Instead of Password for Authentication (CWE-836) vulnerability in Githubusercontent (inferred from references). Its CVSS base score is 9.2 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Pass the Hash (T1550.002); ranked at the 15.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior only require the password hash when authenticating with backend services from the client. This could allow an attacker, who knows the hash, to authenticate and gain full access.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1550.002 Pass the Hash Lateral Movement
Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls.
Why these techniques?

Vulnerability allows direct authentication to backend using only stolen password hash, directly enabling pass-the-hash style access with valid account material.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

Githubusercontent
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References