.NET CVE-2026-22611
LOWSeverity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
AWS SDK for .NET works with Amazon Web Services to help build scalable solutions with Amazon S3, Amazon DynamoDB, Amazon Glacier, and more. From versions 4.0.0 to before 4.0.3.3, Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. This issue has been patched in version 4.0.3.3.
AnalysisAI
AWS SDK for .NET works with Amazon Web Services to help build scalable solutions with Amazon S3, Amazon DynamoDB, Amazon Glacier, and more. From versions 4.0.0 to before 4.0.3.3, Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input fie...
Technical ContextAI
This vulnerability (CWE-20: Improper Input Validation) affects and more. From versions 4.0.0 to. AWS SDK for .NET works with Amazon Web Services to help build scalable solutions with Amazon S3, Amazon DynamoDB, Amazon Glacier, and more. From versions 4.0.0 to before 4.0.3.3, Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field
Affected ProductsAI
Product: and more. From versions 4.0.0 to. Versions: up to 4.0.3.3.
RemediationAI
Fixed in version 4.0.3.3.. Restrict network access to the affected service where possible.
Changjetong T+ (through 16.x) has .NET deserialization RCE in an AjaxPro endpoint. Attacker-controlled JSON triggers des
SD.NET RIM versions before 4.7.3c contain a SQL injection vulnerability that allows attackers to inject malicious SQL st
PowerDocu versions prior to 2.4.0 allow arbitrary .NET object instantiation and code execution through unsafe deserializ
Weak authentication in ASP.NET Core & Visual Studio allows an unauthorized attacker to elevate privileges over a net
NanaZip versions 5.0.1252.0 through 6.0.1629.0 contain an out-of-bounds heap read in the .NET Single File bundle parser
Out-of-bounds memory read in NanaZip versions 5.0.1252.0 through 6.0.1637.x allows local authenticated attackers to disc
DotNetNuke 9.5 contains a persistent cross-site scripting vulnerability that allows normal users to upload malicious XML
Asp.Net-Core-Inventory-Order-Management-System versions up to 9.20250118. contains a security vulnerability (CVSS 6.3).
Insecure .NET Remoting deserialization in Altec DocLink (Beyond Limits) 4.0.336.0. Exposed TCP endpoints allow unauthent
Microsoft Semantic Kernel SDK has a CVSS 9.9 path traversal vulnerability enabling AI agents to access arbitrary files o
Unauthenticated .NET Remoting endpoint in Calero VeraSMART before 2022 R1. TCP port 8001 exposes default Object URIs ena
Static ASP.NET machineKey in Calero VeraSMART before 2022 R1. Hardcoded key enables ViewState deserialization attacks an
Same weakness CWE-20 – Improper Input Validation
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-9cvc-h2w8-phrp