CVE-2026-22905
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
An unauthenticated remote attacker can bypass authentication by exploiting insufficient URI validation and using path traversal sequences (e.g., /js/../cgi-bin/post.cgi), gaining unauthorized access to protected CGI endpoints and configuration downloads.
AnalysisAI
Insufficient URI validation in CGI endpoints permits unauthenticated attackers to bypass authentication controls through path traversal techniques, enabling direct access to protected administrative functions and configuration files. An attacker can exploit this remotely without credentials to retrieve sensitive data and potentially modify system settings. No patch is currently available for this vulnerability.
Technical ContextAI
Classified as CWE-22 (Path Traversal). An unauthenticated remote attacker can bypass authentication by exploiting insufficient URI validation and using path traversal sequences (e.g., /js/../cgi-bin/post.cgi), gaining unauthorized access to protected CGI endpoints and configuration downloads.
Affected ProductsAI
An unauthenticated remote attacker can bypass authentication by exploiting insufficient URI validation and using path traversal sequences (e.g., /js/.
RemediationAI
Monitor vendor advisories for a patch. Validate and sanitize file path inputs. Use allowlists. Restrict network access to the affected service where possible.
Same weakness CWE-22 – Path Traversal
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today