CVE-2026-22034

CRITICAL
2026-01-08 [email protected]
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
PoC Detected
Mar 09, 2026 - 14:04 vuln.today
Public exploit code
Patch Released
Mar 09, 2026 - 14:04 nvd
Patch available
CVE Published
Jan 08, 2026 - 15:15 nvd
CRITICAL 9.8

Tags

PHP Snuffleupagus

Description

Snuffleupagus is a module that raises the cost of attacks against website by killing bug classes and providing a virtual patching system. On deployments of Snuffleupagus prior to version 0.13.0 with the non-default upload validation feature enabled and configured to use one of the upstream validation scripts based on Vulcan Logic Disassembler (VLD) while the VLD extension is not available to the CLI SAPI, all files from multipart POST requests are evaluated as PHP code. The issue was fixed in version 0.13.0.

Analysis

Snuffleupagus PHP security module before 0.13.0 can be bypassed when upload validation uses VLD-based scripts without the VLD extension installed. This disables the upload security check entirely, allowing malicious PHP file uploads. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Vendor patch is available.

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

69
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +49
POC: +20

Share

CVE-2026-22034 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy