CVE-2026-22034 - Vulnerability Details

- Snuffleupagus vulnerable to RCE on instances with upload validation enabled but without the VLD package

Description

Snuffleupagus is a module that raises the cost of attacks against website by killing bug classes and providing a virtual patching system. On deployments of Snuffleupagus prior to version 0.13.0 with the non-default upload validation feature enabled and configured to use one of the upstream validation scripts based on Vulcan Logic Disassembler (VLD) while the VLD extension is not available to the CLI SAPI, all files from multipart POST requests are evaluated as PHP code. The issue was fixed in version 0.13.0.

Published: 2026-01-08

Score: 9.2 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Snuffleupagus allows attackers to execute any PHP code that is uploaded through multipart POST requests when the non‑default upload validation feature is enabled and configured to use a Vulcan Logic Disassembler script, but the VLD extension is missing from the CLI SAPI. The flaw arises from a flaw in input validation (CWE‑636), causing every uploaded file to be evaluated as PHP code. This means an adversary can inject malicious PHP that the web application will execute, compromising confidentiality, integrity, and availability of the affected system.

Affected Systems

The affected product is Snuffleupagus from jvoisin. Versions prior to 0.13.0 with upload validation enabled and configured to use VLD‑based scripts while the VLD extension is not available to the CLI SAPI are vulnerable. The vulnerability does not affect later releases of Snuffleupagus.

Risk and Exploitability

The CVSS score of 9.2 indicates a high severity. The EPSS score is less than 1%, suggesting a low probability of exploitation at the time of analysis, and the vulnerability is not listed in the CISA KEV catalog. Attackers would typically use a HTTP POST request with a multipart/form‑data payload to upload a file containing PHP code; if the module interprets the file as code, it will run with the PHP process’s privileges. The issue has been fixed in version 0.13.0, so only legacy installations remain at risk.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

jvoisin

snuffleupagus

affected

Version	Status	Constraints
`< 0.13.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:jvoisin:snuffleupagus:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Snuffleupagus to version 0.13.0 or newer.
If an immediate upgrade is not possible, disable the non‑default upload validation feature or switch to a validation script that does not rely on the VLD extension.
If the VLD extension must be used, ensure it is available to the CLI SAPI before enabling upload validation.

Generated by OpenCVE AI on April 18, 2026 at 07:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00052.

Exploitation poc

Automatable yes

Technical Impact total

References

Link	Providers
https://github.com/jvoisin/snuffleupagus/blob/9278dc77bab2a219e770a1b31dd6797bc9070e37/src/sp_upload_validation.c#L92-L100
https://github.com/jvoisin/snuffleupagus/blob/v0.12.0/scripts/upload_validation.php
https://github.com/jvoisin/snuffleupagus/blob/v0.12.0/scripts/upload_validation.py
https://github.com/jvoisin/snuffleupagus/commit/9278dc77bab2a219e770a1b31dd6797bc9070e37
https://github.com/jvoisin/snuffleupagus/security/advisories/GHSA-c4ch-xw5p-2mvc
https://github.com/php/php-src/blob/e4098da58a9eaee759d728d98a27d809cde37671/ext/standard/dl.c#L165-L166
https://github.com/php/php-src/blob/e4098da58a9eaee759d728d98a27d809cde37671/main/rfc1867.c#L1269-L1274
https://snuffleupagus.readthedocs.io/config.html#upload-validation

History

Mon, 09 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Jvoisin Jvoisin snuffleupagus
CPEs		cpe:2.3:a:jvoisin:snuffleupagus::::::::
Vendors & Products		Jvoisin Jvoisin snuffleupagus
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Thu, 08 Jan 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 08 Jan 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description		Snuffleupagus is a module that raises the cost of attacks against website by killing bug classes and providing a virtual patching system. On deployments of Snuffleupagus prior to version 0.13.0 with the non-default upload validation feature enabled and configured to use one of the upstream validation scripts based on Vulcan Logic Disassembler (VLD) while the VLD extension is not available to the CLI SAPI, all files from multipart POST requests are evaluated as PHP code. The issue was fixed in version 0.13.0.
Title		Snuffleupagus vulnerable to RCE on instances with upload validation enabled but without the VLD package
Weaknesses		CWE-636
References		https://github.com/jvoisin/snuffleupagus/blob/9278dc77bab2a219e770a1b31dd6797bc9070e37/src/sp_upload_validation.c#L92-L100 https://github.com/jvoisin/snuffleupagus/blob/v0.12.0/scripts/upload_validation.php https://github.com/jvoisin/snuffleupagus/blob/v0.12.0/scripts/upload_validation.py https://github.com/jvoisin/snuffleupagus/commit/9278dc77bab2a219e770a1b31dd6797bc9070e37 https://github.com/jvoisin/snuffleupagus/security/advisories/GHSA-c4ch-xw5p-2mvc https://github.com/php/php-src/blob/e4098da58a9eaee759d728d98a27d809cde37671/ext/standard/dl.c#L165-L166 https://github.com/php/php-src/blob/e4098da58a9eaee759d728d98a27d809cde37671/main/rfc1867.c#L1269-L1274 https://snuffleupagus.readthedocs.io/config.html#upload-validation
Metrics		cvssV4_0 `{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

Jvoisin Snuffleupagus

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-01-08T14:49:05.020Z

Updated: 2026-01-08T15:06:42.132Z

Reserved: 2026-01-05T22:30:38.719Z

Link: CVE-2026-22034

Vulnrichment

Updated: 2026-01-08T15:06:08.840Z

NVD

Status : Analyzed

Published: 2026-01-08T15:15:45.150

Modified: 2026-03-09T14:04:29.357

Link: CVE-2026-22034

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T07:45:24Z

Weaknesses

CWE-636

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object