CVE-2026-22034 — CRITICAL (9.8)

Q: How severe is CVE-2026-22034?

CVE-2026-22034 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2026-22034?

Check the references section above for vendor advisories and patch information. Affected products include: Jvoisin Snuffleupagus.

Vulnerability Description

Snuffleupagus is a module that raises the cost of attacks against website by killing bug classes and providing a virtual patching system. On deployments of Snuffleupagus prior to version 0.13.0 with the non-default upload validation feature enabled and configured to use one of the upstream validation scripts based on Vulcan Logic Disassembler (VLD) while the VLD extension is not available to the CLI SAPI, all files from multipart POST requests are evaluated as PHP code. The issue was fixed in version 0.13.0.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Jvoisin	Snuffleupagus	< 0.13.0

Related Weaknesses (CWE)

CWE-636

References

FAQ

What is CVE-2026-22034?

CVE-2026-22034 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Snuffleupagus is a module that raises the cost of attacks against website by killing bug classes and providing a virtual patching system. On deployments of Snuffleupagus prior to version 0.13.0 with t...

How severe is CVE-2026-22034?

CVE-2026-22034 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2026-22034?

Check the references section above for vendor advisories and patch information. Affected products include: Jvoisin Snuffleupagus.