CVE-2026-22034

Snuffleupagus is a module that raises the cost of attacks against website by killing bug classes and providing a virtual patching system. On deployments of Snuffleupagus prior to version 0.13.0 with the non-default upload validation feature enabled and configured to use one of the upstream validation scripts based on Vulcan Logic Disassembler (VLD) while the VLD extension is not available to the CLI SAPI, all files from multipart POST requests are evaluated as PHP code. The issue was fixed in version 0.13.0.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/jvoisin/snuffleupagus/blob/9278dc77bab2a219e770a1b31dd6797bc9070e37/src/sp_upload_validation.c#L92-L100	Product
https://github.com/jvoisin/snuffleupagus/blob/v0.12.0/scripts/upload_validation.php	Product
https://github.com/jvoisin/snuffleupagus/blob/v0.12.0/scripts/upload_validation.py	Product
https://github.com/jvoisin/snuffleupagus/commit/9278dc77bab2a219e770a1b31dd6797bc9070e37	Patch
https://github.com/jvoisin/snuffleupagus/security/advisories/GHSA-c4ch-xw5p-2mvc	Patch Vendor Advisory Exploit
https://github.com/php/php-src/blob/e4098da58a9eaee759d728d98a27d809cde37671/ext/standard/dl.c#L165-L166	Product
https://github.com/php/php-src/blob/e4098da58a9eaee759d728d98a27d809cde37671/main/rfc1867.c#L1269-L1274	Product
https://snuffleupagus.readthedocs.io/config.html#upload-validation	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:jvoisin:snuffleupagus:*:*:*:*:*:*:*:*

History

09 Mar 2026, 14:04

Type	Values Removed	Values Added
References	~~() https://github.com/jvoisin/snuffleupagus/blob/9278dc77bab2a219e770a1b31dd6797bc9070e37/src/sp_upload_validation.c#L92-L100 -~~	() https://github.com/jvoisin/snuffleupagus/blob/9278dc77bab2a219e770a1b31dd6797bc9070e37/src/sp_upload_validation.c#L92-L100 - Product
References	~~() https://github.com/jvoisin/snuffleupagus/blob/v0.12.0/scripts/upload_validation.php -~~	() https://github.com/jvoisin/snuffleupagus/blob/v0.12.0/scripts/upload_validation.php - Product
References	~~() https://github.com/jvoisin/snuffleupagus/blob/v0.12.0/scripts/upload_validation.py -~~	() https://github.com/jvoisin/snuffleupagus/blob/v0.12.0/scripts/upload_validation.py - Product
References	~~() https://github.com/jvoisin/snuffleupagus/commit/9278dc77bab2a219e770a1b31dd6797bc9070e37 -~~	() https://github.com/jvoisin/snuffleupagus/commit/9278dc77bab2a219e770a1b31dd6797bc9070e37 - Patch
References	~~() https://github.com/jvoisin/snuffleupagus/security/advisories/GHSA-c4ch-xw5p-2mvc -~~	() https://github.com/jvoisin/snuffleupagus/security/advisories/GHSA-c4ch-xw5p-2mvc - Patch, Vendor Advisory, Exploit
References	~~() https://github.com/php/php-src/blob/e4098da58a9eaee759d728d98a27d809cde37671/ext/standard/dl.c#L165-L166 -~~	() https://github.com/php/php-src/blob/e4098da58a9eaee759d728d98a27d809cde37671/ext/standard/dl.c#L165-L166 - Product
References	~~() https://github.com/php/php-src/blob/e4098da58a9eaee759d728d98a27d809cde37671/main/rfc1867.c#L1269-L1274 -~~	() https://github.com/php/php-src/blob/e4098da58a9eaee759d728d98a27d809cde37671/main/rfc1867.c#L1269-L1274 - Product
References	~~() https://snuffleupagus.readthedocs.io/config.html#upload-validation -~~	() https://snuffleupagus.readthedocs.io/config.html#upload-validation - Product
CPE		cpe:2.3:a:jvoisin:snuffleupagus::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
First Time		Jvoisin Jvoisin snuffleupagus

08 Jan 2026, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-08 15:15

Updated : 2026-03-09 14:04

NVD link : CVE-2026-22034

Mitre link : CVE-2026-22034

CVE.ORG link : CVE-2026-22034

JSON object : View

Products Affected

jvoisin

snuffleupagus

CWE

CWE-636

Not Failing Securely ('Failing Open')

9.8 /10