Login Sign Up

CVE-2026-22034

N/A Unknown
Remote Code Execution

📋 TL;DR

This vulnerability in Snuffleupagus allows uploaded files in multipart POST requests to be executed as PHP code when specific non-default configurations are enabled. It affects deployments using upload validation with upstream VLD-based scripts while the VLD extension is unavailable to the CLI SAPI. Attackers could potentially execute arbitrary code on vulnerable systems.

💻 Affected Systems

Products:
  • Snuffleupagus
Versions: All versions prior to 0.13.0
Operating Systems: All operating systems running PHP with Snuffleupagus
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when: 1) Upload validation feature is enabled (non-default), 2) Using upstream VLD-based validation scripts, 3) VLD extension not available to CLI SAPI

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Arbitrary PHP code execution allowing website defacement, data exfiltration, or backdoor installation.

🟢

If Mitigated

No impact if upload validation is disabled or properly configured with VLD available.

🌐 Internet-Facing: HIGH - Web servers accepting file uploads could be directly exploited.
🏢 Internal Only: MEDIUM - Internal systems with file upload functionality could be exploited by authenticated users.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW - Simple file upload with crafted content

Exploitation requires specific configuration but is straightforward once conditions are met.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.13.0

Vendor Advisory: https://github.com/jvoisin/snuffleupagus/security/advisories/GHSA-c4ch-xw5p-2mvc

Restart Required: Yes

Instructions:

1. Update Snuffleupagus to version 0.13.0 or later. 2. Restart PHP-FPM or web server. 3. Verify the update was successful.

🔧 Temporary Workarounds

Disable upload validation

all

Turn off the non-default upload validation feature in Snuffleupagus configuration

Edit snuffleupagus.rules file and remove or comment out upload validation directives

Ensure VLD extension availability

all

Make sure the VLD extension is properly installed and available to CLI SAPI

php -m | grep vld
Check php.ini for CLI SAPI includes vld.so or vld.dll

🧯 If You Can't Patch

  • Disable file upload functionality entirely on affected systems
  • Implement strict file type validation and content inspection at application layer

🔍 How to Verify

Check if Vulnerable:

Check Snuffleupagus version and configuration: 1. Run 'php --ri snuffleupagus' to check version. 2. Review snuffleupagus.rules for upload validation settings. 3. Verify if VLD extension is loaded in CLI: 'php -m | grep vld'

Check Version:

php --ri snuffleupagus | grep Version

Verify Fix Applied:

1. Confirm version is 0.13.0 or higher: 'php --ri snuffleupagus | grep Version'. 2. Test file upload functionality with non-PHP files to ensure they're not executed.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected PHP execution from uploaded files
  • File uploads with suspicious content patterns
  • Errors related to VLD extension in PHP logs

Network Indicators:

  • Multipart POST requests with file uploads to vulnerable endpoints
  • Unexpected outbound connections from web server after file uploads

SIEM Query:

source="php_error.log" AND ("upload" AND "execution" OR "VLD") OR source="access.log" AND method="POST" AND uri CONTAINS "upload" AND status=200

📊 Metadata

CVE ID: CVE-2026-22034
CVSS v3 Score: N/A (Unknown)
CWE: CWE-636
EPSS Score: 0.09% exploit probability (24.6th percentile)
Published: January 8, 2026
Last Updated: January 8, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-22034, you might also want to check these:

CVE-2023-4030 8.4

A BIOS vulnerability in certain Lenovo ThinkPad models allows systems to recover to insecure default...

Same vulnerability type (CWE-636)
CVE-2024-8185 7.5

This vulnerability allows attackers to cause denial-of-service through memory exhaustion by sending ...

Same vulnerability type (CWE-636)
CVE-2025-21210 4.2

This Windows BitLocker vulnerability allows an authenticated attacker to access sensitive informatio...

Same vulnerability type (CWE-636)