{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22903", "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "state": "PUBLISHED", "assignerShortName": "CERTVDE", "dateReserved": "2026-01-13T08:33:25.683Z", "datePublished": "2026-02-09T07:39:42.537Z", "dateUpdated": "2026-02-09T15:36:36.790Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "0852-1322", "vendor": "WAGO", "versions": [{"lessThanOrEqual": "2.64", "status": "affected", "version": "0.0.0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "0852-1328", "vendor": "WAGO", "versions": [{"lessThanOrEqual": "2.64", "status": "affected", "version": "0.0.0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "0852-1322", "vendor": "WAGO", "versions": [{"status": "affected", "version": "2.64"}]}, {"defaultStatus": "unaffected", "product": "0852-1328", "vendor": "WAGO", "versions": [{"status": "affected", "version": "2.64"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Diconium"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An unauthenticated remote attacker can send a crafted HTTP request containing an overly long SESSIONID cookie. This can trigger a stack buffer overflow in the modified lighttpd server, causing it to crash and potentially enabling remote code execution due to missing stack protections.<br>"}], "value": "An unauthenticated remote attacker can send a crafted HTTP request containing an overly long SESSIONID cookie. This can trigger a stack buffer overflow in the modified lighttpd server, causing it to crash and potentially enabling remote code execution due to missing stack protections."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-121", "description": "CWE-121 Stack-based Buffer Overflow", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "shortName": "CERTVDE", "dateUpdated": "2026-02-09T07:39:42.537Z"}, "references": [{"url": "https://certvde.com/de/advisories/VDE-2026-004"}], "source": {"advisory": "VDE-2026-004", "defect": ["CERT@VDE#641934"], "discovery": "UNKNOWN"}, "title": "Stack Overflow via SESSIONID Cookie in lighttpd", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-09T15:36:08.801691Z", "id": "CVE-2026-22903", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T15:36:36.790Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An unauthenticated remote attacker can send a crafted HTTP request containing an overly long SESSIONID cookie. This can trigger a stack buffer overflow in the modified lighttpd server, causing it to crash and potentially enabling remote code execution due to missing stack protections."}, {"lang": "es", "value": "Un atacante remoto no autenticado puede enviar una solicitud HTTP manipulada que contiene una cookie SESSIONID excesivamente larga. Esto puede desencadenar un desbordamiento de b\u00fafer de pila en el servidor lighttpd modificado, lo que provoca su ca\u00edda y potencialmente permite la ejecuci\u00f3n remota de c\u00f3digo debido a la falta de protecciones de pila."}], "id": "CVE-2026-22903", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "info@cert.vde.com", "type": "Primary"}]}, "published": "2026-02-09T08:16:10.103", "references": [{"source": "info@cert.vde.com", "url": "https://certvde.com/de/advisories/VDE-2026-004"}], "sourceIdentifier": "info@cert.vde.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-121"}], "source": "info@cert.vde.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,2.64]"}}], "product": "0852-1322", "vendor": "wago"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.64"}}], "product": "0852-1322", "vendor": "wago"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,2.64]"}}], "product": "0852-1328", "vendor": "wago"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.64"}}], "product": "0852-1328", "vendor": "wago"}], "analysis": {"en": {"generated_at": "2026-04-17T21:32:23.456584+00:00", "value": {"mitigation_remediation": ["Check that the device firmware has been updated to a version containing a corrected lighttpd server and apply the vendor\u2019s patch if available. ", "Configure network firewalls or access controls to restrict or block unauthenticated access to the HTTP interface, limiting exposure to the vulnerable component. ", "Ensure that the lighttpd compilation includes stack protection (e.g., stack canaries) and that the server does not accept excessively large SESSIONID cookies."], "summary": {"action": "Immediate Patch", "impact": "Potential Remote Code Execution via stack buffer overflow"}, "threat_synthesis": {"affected_systems": "The affected devices are WAGO controllers with firmware code numbers 0852-1322 and 0852-1328. No specific firmware version ranges have been disclosed; the flaw exists in the modified lighttpd server component used across these products.", "description_and_impact": "An unauthenticated attacker can send a specially crafted HTTP request containing an excessively large SESSIONID cookie to a modified lighttpd server. The request triggers a stack buffer overflow that causes the server to crash. Because the server lacks sufficient stack protections, the overflow may allow the attacker to execute arbitrary code on the host.", "risk_and_exploitability": "The vulnerability has a CVSS score of 9.8, indicating critical severity. The EPSS score is below 1\u202f%, suggesting low current exploitation likelihood, but the impact remains high. The flaw is not listed in the CISA KEV catalog. The attack vector is remote over the network, exploiting the HTTP interface without authentication, and feasibility depends on the availability of the vulnerable web server and lack of stack protection mechanisms."}}}}, "created": "2026-02-10T12:23:51.330558+00:00", "updated": "2026-04-17T21:45:28.604470+00:00", "vendors": ["wago", "wago$PRODUCT$0852-1322", "wago$PRODUCT$0852-1328"]}