{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22199", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-01-06T16:47:17.184Z", "datePublished": "2026-03-13T01:18:06.507Z", "dateUpdated": "2026-04-23T13:02:10.267Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-22T18:35:07.223Z"}, "title": "Voltronic Power SNMP Web Pro 1.1 Path Traversal via upload.cgi", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "affected": [{"vendor": "Voltronic Power", "product": "SNMP Web Pro", "versions": [{"status": "affected", "version": "1.1"}], "defaultStatus": "unknown"}], "descriptions": [{"lang": "en", "value": "Voltronic Power SNMP Web Pro version 1.1 contains a pre-authentication path traversal vulnerability in the upload.cgi endpoint that allows unauthenticated attackers to read arbitrary files on the device filesystem by supplying directory traversal sequences in the params parameter. Attackers can exploit this vulnerability to disclose sensitive files such as password hashes, which can be cracked offline to obtain root-level access and enable full system compromise.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Voltronic Power SNMP Web Pro version 1.1 contains a pre-authentication path traversal vulnerability in the upload.cgi endpoint that allows unauthenticated attackers to read arbitrary files on the device filesystem by supplying directory traversal sequences in the params parameter. Attackers can exploit this vulnerability to disclose sensitive files such as password hashes, which can be cracked offline to obtain root-level access and enable full system compromise.<br>"}]}], "references": [{"url": "https://github.com/kmkz/Exploits/blob/master/2026/CVE-2026-22192-22199_Voltronic-Power_Preauth_root_RCE.txt", "tags": ["technical-description"]}, {"url": "https://www.boffsec-services.com/posts/sicuroweb-cve-2026-22191/", "tags": ["technical-description"]}, {"url": "https://voltronicpower.com/", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/voltronic-power-snmp-web-pro-path-traversal-via-upload-cgi", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.7, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "HIGH", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}}], "credits": [{"lang": "en", "value": "Jean-Marie Bourbon of Bourbon Offensive Security Services", "type": "finder"}, {"lang": "en", "value": "VulnCheck", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"references": [{"url": "https://www.boffsec-services.com/posts/sicuroweb-cve-2026-22191/", "tags": ["exploit"]}, {"url": "https://github.com/kmkz/Exploits/blob/master/2026/CVE-2026-22192-22199_Voltronic-Power_Preauth_root_RCE.txt", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-23T13:02:04.505924Z", "id": "CVE-2026-22199", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T13:02:10.267Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22199", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-23T13:02:04.505924Z"}}}], "references": [{"url": "https://www.boffsec-services.com/posts/sicuroweb-cve-2026-22191/", "tags": ["exploit"]}, {"url": "https://github.com/kmkz/Exploits/blob/master/2026/CVE-2026-22192-22199_Voltronic-Power_Preauth_root_RCE.txt", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T16:09:38.366Z"}}], "cna": {"title": "Voltronic Power SNMP Web Pro 1.1 Path Traversal via upload.cgi", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Jean-Marie Bourbon of Bourbon Offensive Security Services"}, {"lang": "en", "type": "coordinator", "value": "VulnCheck"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Voltronic Power", "product": "SNMP Web Pro", "versions": [{"status": "affected", "version": "1.1"}], "defaultStatus": "unknown"}], "references": [{"url": "https://github.com/kmkz/Exploits/blob/master/2026/CVE-2026-22192-22199_Voltronic-Power_Preauth_root_RCE.txt", "tags": ["technical-description"]}, {"url": "https://www.boffsec-services.com/posts/sicuroweb-cve-2026-22191/", "tags": ["technical-description"]}, {"url": "https://voltronicpower.com/", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/voltronic-power-snmp-web-pro-path-traversal-via-upload-cgi", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Voltronic Power SNMP Web Pro version 1.1 contains a pre-authentication path traversal vulnerability in the upload.cgi endpoint that allows unauthenticated attackers to read arbitrary files on the device filesystem by supplying directory traversal sequences in the params parameter. Attackers can exploit this vulnerability to disclose sensitive files such as password hashes, which can be cracked offline to obtain root-level access and enable full system compromise.", "supportingMedia": [{"type": "text/html", "value": "Voltronic Power SNMP Web Pro version 1.1 contains a pre-authentication path traversal vulnerability in the upload.cgi endpoint that allows unauthenticated attackers to read arbitrary files on the device filesystem by supplying directory traversal sequences in the params parameter. Attackers can exploit this vulnerability to disclose sensitive files such as password hashes, which can be cracked offline to obtain root-level access and enable full system compromise.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-22T18:35:07.223Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22199", "state": "PUBLISHED", "dateUpdated": "2026-04-22T18:35:07.223Z", "dateReserved": "2026-01-06T16:47:17.184Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-03-13T01:18:06.507Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gvectors:wpdiscuz:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "A81F51B9-0C21-4F7E-876B-C09A66B9AE05", "versionEndExcluding": "7.6.47", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Voltronic Power SNMP Web Pro version 1.1 contains a pre-authentication path traversal vulnerability in the upload.cgi endpoint that allows unauthenticated attackers to read arbitrary files on the device filesystem by supplying directory traversal sequences in the params parameter. Attackers can exploit this vulnerability to disclose sensitive files such as password hashes, which can be cracked offline to obtain root-level access and enable full system compromise."}, {"lang": "es", "value": "wpDiscuz antes de 7.6.47 contiene una vulnerabilidad de manipulaci\u00f3n de votos que permite a los atacantes manipular los votos de los comentarios al obtener nonces frescos y eludir la limitaci\u00f3n de velocidad a trav\u00e9s de encabezados controlados por el cliente. Los atacantes pueden variar los encabezados User-Agent para restablecer los l\u00edmites de velocidad, solicitar nonces desde el endpoint wpdGetNonce no autenticado y votar varias veces utilizando rotaci\u00f3n de IP o manipulaci\u00f3n de encabezados de proxy inverso."}], "id": "CVE-2026-22199", "lastModified": "2026-04-23T13:16:11.417", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "disclosure@vulncheck.com", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-03-13T19:54:09.933", "references": [{"source": "disclosure@vulncheck.com", "url": "https://github.com/kmkz/Exploits/blob/master/2026/CVE-2026-22192-22199_Voltronic-Power_Preauth_root_RCE.txt"}, {"source": "disclosure@vulncheck.com", "url": "https://voltronicpower.com/"}, {"source": "disclosure@vulncheck.com", "url": "https://www.boffsec-services.com/posts/sicuroweb-cve-2026-22191/"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/voltronic-power-snmp-web-pro-path-traversal-via-upload-cgi"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/kmkz/Exploits/blob/master/2026/CVE-2026-22192-22199_Voltronic-Power_Preauth_root_RCE.txt"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://www.boffsec-services.com/posts/sicuroweb-cve-2026-22191/"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "disclosure@vulncheck.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.6.47)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "7.6.47"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "wpDiscuz", "source": "cna", "vendor": "gVectors"}, "product": "wpdiscuz", "vendor": "gvectors"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-17T21:24:29.496774+00:00", "value": {"mitigation_remediation": ["Upgrade wpDiscuz to version 7.6.47 or later.", "If an upgrade is not immediately possible, disable or restrict access to the wpdGetNonce endpoint and enforce stricter IP validation or header checks to mitigate rate\u2011limiting bypass."], "summary": {"action": "Patch", "impact": "Vote manipulation / integrity compromise"}, "threat_synthesis": {"affected_systems": "The affected product is the WordPress comment plugin wpDiscuz by gVectors. All installations running any version earlier than 7.6.47 are vulnerable. No specific version sub\u2011ranges are listed beyond the major release cutoff.", "description_and_impact": "A vulnerability in wpDiscuz before version 7.6.47 allows an attacker to forge request parameters and obtain a fresh nonce via the unauthenticated wpdGetNonce endpoint. With this nonce, the attacker can repeatedly submit vote actions on comments. By manipulating client\u2011controlled headers, such as the User\u2011Agent and IP\u2011related headers, the attacker can also bypass the plugin\u2019s rate\u2011limiting mechanism. The result is that comment vote counts can be inflated or deflated at will, undermining the integrity of the comment ranking system. The weakness is identified as CWE\u2011290, a broken access\u2011control or authentication bypass condition.", "risk_and_exploitability": "The CVSS score of 6.9 indicates a moderate severity, while the EPSS score of less than 1% suggests a low likelihood of mass exploitation. The vulnerability is not included in the CISA KEV catalog. Exploitation requires only unauthenticated HTTP requests to the plugin\u2019s endpoints and the ability to alter request headers, which is trivial for most attackers. An attacker can automate the process to manipulate many comment votes in a short time."}}}}, "created": "2026-03-13T09:49:19.146158+00:00", "updated": "2026-03-23T09:59:56.588370+00:00", "vendors": ["gvectors", "gvectors$PRODUCT$wpdiscuz", "wordpress", "wordpress$PRODUCT$wordpress"]}