CVE-2026-22788

Опубликовано: 12 янв. 2026

Источник: nvd

CVSS3: 8.2

EPSS Низкий

Описание

WebErpMesv2 is a Resource Management and Manufacturing execution system Web for industry. Prior to 1.19, the WebErpMesV2 application exposes multiple sensitive API endpoints without authentication middleware. An unauthenticated remote attacker can read business-critical data including companies, quotes, orders, tasks, and whiteboards. Limited write access allows creation of company records and full manipulation of collaboration whiteboards. This vulnerability is fixed in 1.19.

Ссылки

https://github.com/SMEWebify/WebErpMesv2/commit/3a7ab1c95d1d1c8f7c62c84bc87b3666ecd2fa23
Patch
https://github.com/SMEWebify/WebErpMesv2/security/advisories/GHSA-pp68-5pc2-hv7w
Exploit
Patch
Vendor Advisory
https://github.com/SMEWebify/WebErpMesv2/security/advisories/GHSA-pp68-5pc2-hv7w
Exploit
Patch
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:wem-project:wem:*:*:*:*:*:*:*:*

Версия до 1.19 (исключая)

EPSS

Процентиль: 39%

0.00173

Низкий

8.2 High

CVSS3

Дефекты

CWE-306