CVE-2026-22788

HIGH

Wem < 1.19 - Missing Authentication

Title source: rule

Description

WebErpMesv2 is a Resource Management and Manufacturing execution system Web for industry. Prior to 1.19, the WebErpMesV2 application exposes multiple sensitive API endpoints without authentication middleware. An unauthenticated remote attacker can read business-critical data including companies, quotes, orders, tasks, and whiteboards. Limited write access allows creation of company records and full manipulation of collaboration whiteboards. This vulnerability is fixed in 1.19.

References (2)

Scores

CVSS v3 8.2
EPSS 0.0025
EPSS Percentile 48.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Classification

CWE
CWE-306
Status published

Affected Products (1)

wem-project/wem < 1.19

Timeline

Published Jan 12, 2026
Tracked Since Feb 18, 2026