Description
An unauthenticated remote attacker can send a crafted HTTP request containing an overly long SESSIONID cookie. This can trigger a stack buffer overflow in the modified lighttpd server, causing it to crash and potentially enabling remote code execution due to missing stack protections.
Published: 2026-02-09
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Potential Remote Code Execution via stack buffer overflow
Action: Immediate Patch
AI Analysis

Impact

An unauthenticated attacker can send a specially crafted HTTP request containing an excessively large SESSIONID cookie to a modified lighttpd server. The request triggers a stack buffer overflow that causes the server to crash. Because the server lacks sufficient stack protections, the overflow may allow the attacker to execute arbitrary code on the host.

Affected Systems

The affected devices are WAGO controllers with firmware code numbers 0852-1322 and 0852-1328. No specific firmware version ranges have been disclosed; the flaw exists in the modified lighttpd server component used across these products.

Risk and Exploitability

The vulnerability has a CVSS score of 9.8, indicating critical severity. The EPSS score is below 1 %, suggesting low current exploitation likelihood, but the impact remains high. The flaw is not listed in the CISA KEV catalog. The attack vector is remote over the network, exploiting the HTTP interface without authentication, and feasibility depends on the availability of the vulnerable web server and lack of stack protection mechanisms.

Generated by OpenCVE AI on April 17, 2026 at 21:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check that the device firmware has been updated to a version containing a corrected lighttpd server and apply the vendor’s patch if available.
  • Configure network firewalls or access controls to restrict or block unauthenticated access to the HTTP interface, limiting exposure to the vulnerable component.
  • Ensure that the lighttpd compilation includes stack protection (e.g., stack canaries) and that the server does not accept excessively large SESSIONID cookies.

Generated by OpenCVE AI on April 17, 2026 at 21:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Wago
Wago 0852-1322
Wago 0852-1328
Vendors & Products Wago
Wago 0852-1322
Wago 0852-1328

Mon, 09 Feb 2026 08:00:00 +0000

Type Values Removed Values Added
Description An unauthenticated remote attacker can send a crafted HTTP request containing an overly long SESSIONID cookie. This can trigger a stack buffer overflow in the modified lighttpd server, causing it to crash and potentially enabling remote code execution due to missing stack protections.
Title Stack Overflow via SESSIONID Cookie in lighttpd
Weaknesses CWE-121
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wago 0852-1322 0852-1328
cve-icon MITRE

Status: PUBLISHED

Assigner: CERTVDE

Published:

Updated: 2026-02-09T15:36:36.790Z

Reserved: 2026-01-13T08:33:25.683Z

Link: CVE-2026-22903

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-02-09T08:16:10.103

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22903

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T21:45:28Z

Weaknesses