9.2
/ 10
CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Description
Snuffleupagus is a module that raises the cost of attacks against website by killing bug classes and providing a virtual patching system. On deployments of Snuffleupagus prior to version 0.13.0 with the non-default upload validation feature enabled and configured to use one of the upstream validation scripts based on Vulcan Logic Disassembler (VLD) while the VLD extension is not available to the CLI SAPI, all files from multipart POST requests are evaluated as PHP code. The issue was fixed in version 0.13.0.
AI Analysis
Remote Code Execution (RCE) vulnerability in Snuffleupagus prior to version 0.13.0, allowing evaluation of all files from multipart POST requests as PHP code when upload validation is enabled without the VLD package.
Basic Information
ID
CVE-2026-22034
Source
GitHub_M
Published
Jan 8, 2026 at 14:49
Modified
Jan 8, 2026 at 15:06
Affected Product
Vendor
jvoisin
Product
snuffleupagus
Version
< 0.13.0
Affected Versions
jvoisin snuffleupagus < 0.13.0
CWE Classification
AI Assessment
AI Score
9.2 / 10
AI Severity
Critical
Vendor
jvoisin
Product
Snuffleupagus
Version
< 0.13.0
References
- github.com /jvoisin/snuffleupagus/security/advisories/GHSA-c4ch-xw5p-2mvc
- github.com /jvoisin/snuffleupagus/commit/9278dc77bab2a219e770a1b31dd6797bc9070e37
- github.com /jvoisin/snuffleupagus/blob/9278dc77bab2a219e770a1b31dd6797bc9070e37/src/sp_upload_validation.c
- github.com /jvoisin/snuffleupagus/blob/v0.12.0/scripts/upload_validation.php
- github.com /jvoisin/snuffleupagus/blob/v0.12.0/scripts/upload_validation.py
- github.com /php/php-src/blob/e4098da58a9eaee759d728d98a27d809cde37671/ext/standard/dl.c
- github.com /php/php-src/blob/e4098da58a9eaee759d728d98a27d809cde37671/main/rfc1867.c
- snuffleupagus.readthedocs.io /config.html