CVE-2026-22903

Summary

An unauthenticated remote attacker can send a crafted HTTP request containing an overly long SESSIONID cookie. This can trigger a stack buffer overflow in the modified lighttpd server, causing it to crash and potentially enabling remote code execution due to missing stack protections.

Affected Software

VendorProductVersion RangeStatus
WAGO0852-13220.0.0 <= 2.64affected
WAGO0852-13280.0.0 <= 2.64affected
WAGO0852-13222.64affected
WAGO0852-13282.64affected

Weaknesses

  • CWE-121: CWE-121 Stack-based Buffer Overflow

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References