CVE-2022-24449

CRITICAL

Solar appScreener <= 3.10.4 - XML External Entity Injection and Server-Side Request Forgery via Crafted XML Document

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-24449. PoCs published by jet-pentest.

AI-analyzed exploit summary This repository contains a writeup for CVE-2022-24449, an XXE vulnerability in Solar AppScreener SAST tool versions up to 3.10.4. The vulnerability allows unauthorized actors to upload crafted XML files, leading to XXE-SSRF attacks.

Description

Solar appScreener through 3.10.4, when a valid license is not present, allows XXE and SSRF attacks via a crafted XML document.

Exploits (1)

nomisec WRITEUP

by jet-pentest · poc

https://github.com/jet-pentest/CVE-2022-24449

View Code ZIP pw:eip

This repository contains a writeup for CVE-2022-24449, an XXE vulnerability in Solar AppScreener SAST tool versions up to 3.10.4. The vulnerability allows unauthorized actors to upload crafted XML files, leading to XXE-SSRF attacks.

Classification

Writeup 90%

Attack Type

Ssrf

Complexity

Trivial

Reliability

Reliable

Target: Solar AppScreener SAST tool <= 3.10.4

No auth needed

Prerequisites: Access to the license update mechanism · Ability to upload crafted XML files

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Product, Vendor Advisory x_refsource_misc

https://en.rt-solar.ru/products/solarAPPscreener/

Third Party Advisory x_refsource_misc

https://github.com/jet-pentest/CVE-2022-24449

Scores

CVSS v3 9.8

EPSS 0.0184

EPSS Percentile 76.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-611 CWE-918

Status published

Products (1)

rt-solar/solar_appscreener < 3.10.4

Published Apr 28, 2022

Tracked Since Feb 18, 2026