CVE-2026-22789HIGH 8.8EPSS p13.5%

CVE-2026-22789CVE-2026-22789

Description

WebErpMesv2 is a Resource Management and Manufacturing execution system Web for industry. Prior to 1.19, WebErpMesv2 contains a file upload validation bypass vulnerability in multiple controllers that allows authenticated users to upload arbitrary files, including PHP scripts, leading to Remote Code Execution (RCE). This vulnerability is identical in nature to CVE-2025-52130 but exists in different code locations that were not addressed by the original fix. This vulnerability is fixed in 1.19.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.23% probability of exploitation · percentile 13.5% · 2026-06-18T12:00:27Z
Published2026-01-12
Last modified2026-01-21

Underlying weaknesses· 2

CWE-434CWE-616

References

  1. https://github.com/SMEWebify/WebErpMesv2/commit/c9e7f4a85aeb774a0ea4b61ad57a51b941166b69
  2. https://github.com/SMEWebify/WebErpMesv2/security/advisories/GHSA-64rv-f829-x6m4
  3. https://github.com/SMEWebify/WebErpMesv2/security/advisories/GHSA-64rv-f829-x6m4

2

TypeTargetConfidenceTier
WeaknessUnrestricted Upload of File with Dangerous Typecwe-4340%live
WeaknessIncomplete Identification of Uploaded File Variables (PHP)cwe-6160%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-22788
CVE
CVE-2026-22799
CVE
CVE-2026-38526
CVE
CVE-2025-34506
CVE
CVE-2025-58159
CVE
CVE-2025-63994
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.