CVE-2026-22905

Summary

An unauthenticated remote attacker can bypass authentication by exploiting insufficient URI validation and using path traversal sequences (e.g., /js/../cgi-bin/post.cgi), gaining unauthorized access to protected CGI endpoints and configuration downloads.

Affected Software

VendorProductVersion RangeStatus
WAGO0852-13220.0.0 <= 2.64affected
WAGO0852-13280.0.0 <= 2.64affected
WAGO0852-13222.64affected
WAGO0852-13282.64affected

Weaknesses

  • CWE-22: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References