Skip to main content

Mesalvo Meona CVE-2026-22314

| EUVDEUVD-2026-31090 CRITICAL
Code Injection (CWE-94)
2026-05-20 ENISA GHSA-xcwx-69fp-83wm
9.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.0 CRITICAL
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 20, 2026 - 11:45 vuln.today

DescriptionCVE.org

Improper Control of Generation of Code ('Code Injection') vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component enables code execution on other users' systems. This issue affects Meona Client Launcher Component: through 19.06.2020 15:11:49; Meona Server Component: through 2025.04 5+323020.

AnalysisAI

Code injection in Mesalvo Meona Client Launcher Component (through 19.06.2020 15:11:49) and Meona Server Component (through 2025.04 5+323020) allows an authenticated, low-privileged attacker to execute code on other users' systems via crafted input that crosses a scope boundary, with user interaction required on the victim side. CVSS 9.0 reflects the cross-user/cross-system impact (Scope:Changed) and full CIA compromise; no public exploit identified at time of analysis. The product is a clinical/healthcare workflow platform, so successful exploitation can pivot between hospital workstations and the server tier.

Technical ContextAI

The flaw is classified as CWE-94 (Improper Control of Generation of Code, i.e., code injection), meaning user-controllable input is incorporated into a code construct that the application later executes rather than treats as data. The affected CPEs are cpe:2.3:a:mesalvo:meona_client_launcher_component and cpe:2.3:a:mesalvo:meona_server_component, indicating both the thick-client launcher (responsible for bootstrapping the Meona clinical client on a workstation) and the central server component are involved. Because the CVSS Scope is Changed (S:C), the injection allows the attacker to influence resources beyond the vulnerable component's own security authority - consistent with one Meona user injecting code that ends up being executed in another user's client session via the shared server.

RemediationAI

No vendor-released patch identified at time of analysis from the provided input - the only reference is the researcher write-up at https://seccore.at/blog/cves-meona/, so operators should contact Mesalvo directly to obtain a Meona Client Launcher build newer than 19.06.2020 15:11:49 and a Server Component build newer than 2025.04 5+323020 and apply both in lockstep, since the components interact. Until a fixed build is confirmed, restrict Meona access to vetted clinical accounts, enforce least privilege on Meona role assignments to shrink the pool of PR:L attackers, segment the Meona server and launcher endpoints from general user networks, and increase monitoring of Meona audit logs and workstation process creation for anomalous child processes of the launcher (the likely execution sink). User-awareness reminders for clinicians not to action unexpected Meona prompts address the UI:R requirement; the trade-off is added friction in time-critical clinical workflows, so combine with technical controls rather than relying on it alone.

Share

CVE-2026-22314 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy