Skip to main content

.NET CVE-2026-22611

LOW
Improper Input Validation (CWE-20)
2026-01-10 security-advisories@github.com GHSA-9cvc-h2w8-phrp
3.7
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Jan 10, 2026 - 06:15 nvd
LOW 3.7

DescriptionGitHub Advisory

AWS SDK for .NET works with Amazon Web Services to help build scalable solutions with Amazon S3, Amazon DynamoDB, Amazon Glacier, and more. From versions 4.0.0 to before 4.0.3.3, Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. This issue has been patched in version 4.0.3.3.

AnalysisAI

AWS SDK for .NET works with Amazon Web Services to help build scalable solutions with Amazon S3, Amazon DynamoDB, Amazon Glacier, and more. From versions 4.0.0 to before 4.0.3.3, Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input fie...

Technical ContextAI

This vulnerability (CWE-20: Improper Input Validation) affects and more. From versions 4.0.0 to. AWS SDK for .NET works with Amazon Web Services to help build scalable solutions with Amazon S3, Amazon DynamoDB, Amazon Glacier, and more. From versions 4.0.0 to before 4.0.3.3, Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field

Affected ProductsAI

Product: and more. From versions 4.0.0 to. Versions: up to 4.0.3.3.

RemediationAI

Fixed in version 4.0.3.3.. Restrict network access to the affected service where possible.

More in .NET

View all
CVE-2023-7334 CRITICAL POC
9.8 Jan 15

Changjetong T+ (through 16.x) has .NET deserialization RCE in an AjaxPro endpoint. Attacker-controlled JSON triggers des

CVE-2019-25359 HIGH POC
8.2 Feb 18

SD.NET RIM versions before 4.7.3c contain a SQL injection vulnerability that allows attackers to inject malicious SQL st

CVE-2026-25925 HIGH POC
7.8 Feb 09

PowerDocu versions prior to 2.4.0 allow arbitrary .NET object instantiation and code execution through unsafe deserializ

CVE-2025-24070 HIGH POC
7.0 Mar 11

Weak authentication in ASP.NET Core & Visual Studio allows an unauthorized attacker to elevate privileges over a net

CVE-2026-26282 MEDIUM POC
6.6 Feb 19

NanaZip versions 5.0.1252.0 through 6.0.1629.0 contain an out-of-bounds heap read in the .NET Single File bundle parser

CVE-2026-27709 MEDIUM POC
6.6 Feb 26

Out-of-bounds memory read in NanaZip versions 5.0.1252.0 through 6.0.1637.x allows local authenticated attackers to disc

CVE-2020-37103 MEDIUM POC
6.4 Feb 03

DotNetNuke 9.5 contains a persistent cross-site scripting vulnerability that allows normal users to upload malicious XML

CVE-2026-3263 MEDIUM POC
6.3 Feb 26

Asp.Net-Core-Inventory-Order-Management-System versions up to 9.20250118. contains a security vulnerability (CVSS 6.3).

CVE-2026-26222 CRITICAL
9.8 Feb 24

Insecure .NET Remoting deserialization in Altec DocLink (Beyond Limits) 4.0.336.0. Exposed TCP endpoints allow unauthent

CVE-2026-25592 CRITICAL POC
9.9 Feb 06

Microsoft Semantic Kernel SDK has a CVSS 9.9 path traversal vulnerability enabling AI agents to access arbitrary files o

CVE-2026-26333 CRITICAL
9.8 Feb 13

Unauthenticated .NET Remoting endpoint in Calero VeraSMART before 2022 R1. TCP port 8001 exposes default Object URIs ena

CVE-2026-26335 CRITICAL POC
9.8 Feb 13

Static ASP.NET machineKey in Calero VeraSMART before 2022 R1. Hardcoded key enables ViewState deserialization attacks an

Share

CVE-2026-22611 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy