CVE-2026-22788

HIGH

wem-project/wem < 1.19 - Unauthenticated Sensitive Data Exposure and Limited Write Access via API Endpoints

Title source: llm

Description

WebErpMesv2 is a Resource Management and Manufacturing execution system Web for industry. Prior to 1.19, the WebErpMesV2 application exposes multiple sensitive API endpoints without authentication middleware. An unauthenticated remote attacker can read business-critical data including companies, quotes, orders, tasks, and whiteboards. Limited write access allows creation of company records and full manipulation of collaboration whiteboards. This vulnerability is fixed in 1.19.

References (2)

Core 2

Core References

Exploit, Patch, Vendor Advisory x_refsource_confirm

https://github.com/SMEWebify/WebErpMesv2/security/advisories/GHSA-pp68-5pc2-hv7w

Patch x_refsource_misc

https://github.com/SMEWebify/WebErpMesv2/commit/3a7ab1c95d1d1c8f7c62c84bc87b3666ecd2fa23

View Patch ZIP pw:eip

Scores

CVSS v3 8.2

EPSS 0.0053

EPSS Percentile 40.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-306

Status published

Products (1)

wem-project/wem < 1.19

Published Jan 12, 2026

Tracked Since Feb 18, 2026