Skip to main content

Wem CVE-2026-22788

HIGH
Missing Authentication for Critical Function (CWE-306)
2026-01-12 security-advisories@github.com
Authentication Bypass Wem
8.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
PoC Detected
Jan 21, 2026 - 19:11 vuln.today
Public exploit code
Patch released
Jan 21, 2026 - 19:11 nvd
Patch available
CVE Published
Jan 12, 2026 - 22:16 nvd
HIGH 8.2

DescriptionGitHub Advisory

WebErpMesv2 is a Resource Management and Manufacturing execution system Web for industry. Prior to 1.19, the WebErpMesV2 application exposes multiple sensitive API endpoints without authentication middleware. An unauthenticated remote attacker can read business-critical data including companies, quotes, orders, tasks, and whiteboards. Limited write access allows creation of company records and full manipulation of collaboration whiteboards. This vulnerability is fixed in 1.19.

AnalysisAI

WebErpMesV2 versions prior to 1.19 expose unauthenticated API endpoints that allow remote attackers to read sensitive manufacturing and business data including orders, quotes, and tasks without credentials. Public exploit code exists for this vulnerability, and attackers can additionally create company records and manipulate collaboration whiteboards. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed API endpoints
Exploit
Send unauthenticated HTTP requests
Execution
Retrieve sensitive business data
Impact
Optionally modify company records
Sign in to reveal

Vulnerability AssessmentAI

Exploitation WebErpMesV2 versions prior to 1.19 with authentication middleware not enforced on sensitive API endpoints (companies, quotes, orders, tasks, whiteboards). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 8.2 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A remote attacker without authentication could exploit this vulnerability to compromise the affected system.
Remediation A vendor patch is available — apply it immediately. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 7 days: Identify all affected systems and apply vendor patches promptly. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-22788 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy