CVE-2026-22789 - Vulnerability Details

- WebErpMesv2 has a File Upload Validation Bypass Leading to RCE

Description

WebErpMesv2 is a Resource Management and Manufacturing execution system Web for industry. Prior to 1.19, WebErpMesv2 contains a file upload validation bypass vulnerability in multiple controllers that allows authenticated users to upload arbitrary files, including PHP scripts, leading to Remote Code Execution (RCE). This vulnerability is identical in nature to CVE-2025-52130 but exists in different code locations that were not addressed by the original fix. This vulnerability is fixed in 1.19.

Published: 2026-01-12

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

WebErpMesv2 v1.18 and earlier allow authenticated users to upload arbitrary files due to a bypass of the file‑type validation in several controllers. An attacker can upload a PHP script or other executable file, which is then processed by the web server, resulting in remote code execution. The flaw is an example of unrestricted file upload (CWE‑434) and a failure to validate the file’s domain or type (CWE‑616). Successful exploitation permits code execution with the privileges of the web application, potentially compromising the host, stealing data, or disrupting operations.

Affected Systems

Vendor SMEWebify’s WebErpMesv2 product is affected in all releases before 1.19. The vulnerability exists in version 1.18 and earlier, and was addressed in the 1.19 release.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity, largely because the flaw has an authentication requirement. The EPSS score of less than 1% suggests that, historically, exploitation attempts are rare. The vulnerability is not yet listed in the CISA KEV catalog. Attackers need valid credentials to reach the upload endpoint, and the web server must be configured to execute uploaded PHP files. Because the flaw remains dormant until an authenticated user uploads a malicious file, the exposure is limited to systems that allow user logins and file uploads, but the impact of a successful attack would be full system compromise.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SMEWebify

WebErpMesv2

affected

Version	Status	Constraints
`< 1.19`	affected	—

Configuration 1 [-]

cpe:2.3:a:wem-project:wem:1.18:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to WebErpMesv2 1.19 or later to eliminate the file upload validation bypass.
If an upgrade cannot be performed immediately, restrict the upload directory to non‑executable file types, enforce a strict whitelist of allowed MIME types, and block execution of uploaded files.
Disable the file upload feature for users who do not require it, applying the principle of least privilege.
Verify that the web server does not treat the upload directory as a web‑executable location, and configure it to serve uploads as static content only.

Generated by OpenCVE AI on April 18, 2026 at 06:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00048.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/SMEWebify/WebErpMesv2/commit/c9e7f4a85aeb774a0ea4b61ad57a51b941166b69
https://github.com/SMEWebify/WebErpMesv2/security/advisories/GHSA-64rv-f829-x6m4

History

Wed, 21 Jan 2026 19:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wem-project Wem-project wem
CPEs		cpe:2.3:a:wem-project:wem:1.18:::::::*
Vendors & Products		Wem-project Wem-project wem

Tue, 13 Jan 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 12 Jan 2026 22:00:00 +0000

Type	Values Removed	Values Added
Description		WebErpMesv2 is a Resource Management and Manufacturing execution system Web for industry. Prior to 1.19, WebErpMesv2 contains a file upload validation bypass vulnerability in multiple controllers that allows authenticated users to upload arbitrary files, including PHP scripts, leading to Remote Code Execution (RCE). This vulnerability is identical in nature to CVE-2025-52130 but exists in different code locations that were not addressed by the original fix. This vulnerability is fixed in 1.19.
Title		WebErpMesv2 has a File Upload Validation Bypass Leading to RCE
Weaknesses		CWE-434 CWE-616
References		https://github.com/SMEWebify/WebErpMesv2/commit/c9e7f4a85aeb774a0ea4b61ad57a51b941166b69 https://github.com/SMEWebify/WebErpMesv2/security/advisories/GHSA-64rv-f829-x6m4
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}`

Subscriptions

Wem-project Wem

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-01-12T21:52:11.880Z

Updated: 2026-01-13T19:41:31.721Z

Reserved: 2026-01-09T18:27:19.388Z

Link: CVE-2026-22789

Vulnrichment

Updated: 2026-01-13T19:41:21.956Z

NVD

Status : Analyzed

Published: 2026-01-12T22:16:08.490

Modified: 2026-01-21T19:11:41.560

Link: CVE-2026-22789

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T07:00:11Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object