CVE-2026-22034

CRITICAL

Snuffleupagus <0.13.0 - Code Injection

Title source: llm
STIX 2.1

Description

Snuffleupagus is a module that raises the cost of attacks against website by killing bug classes and providing a virtual patching system. On deployments of Snuffleupagus prior to version 0.13.0 with the non-default upload validation feature enabled and configured to use one of the upstream validation scripts based on Vulcan Logic Disassembler (VLD) while the VLD extension is not available to the CLI SAPI, all files from multipart POST requests are evaluated as PHP code. The issue was fixed in version 0.13.0.

References (8)

Core 8
Core References

Scores

CVSS v3 9.8
EPSS 0.0005
EPSS Percentile 16.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-636
Status published
Products (1)
jvoisin/snuffleupagus < 0.13.0
Published Jan 08, 2026
Tracked Since Feb 18, 2026