CVE-2026-22194

HIGH

Gestsup < 3.2.56 - CSRF

Title source: rule

Description

GestSup versions up to and including 3.2.60 contain a cross-site request forgery (CSRF) vulnerability where the application does not verify the authenticity of client requests. An attacker can induce a logged-in user to submit crafted requests that perform actions with the victim's privileges. This can be exploited to create privileged accounts by targeting the administrative user creation endpoint.

References (2)

[Release Notes] https://gestsup.fr/index.php?page=changelog

[Third Party Advisory] https://www.vulncheck.com/advisories/gestsup-csrf-allows-privileged-actions

Scores

CVSS v3 8.8

EPSS 0.0001

EPSS Percentile 0.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Classification

CWE

CWE-352

Status published

Affected Products (1)

gestsup/gestsup < 3.2.56

Timeline

Published Jan 09, 2026

Tracked Since Feb 18, 2026