cbcvebase.
CVE-2026-22034
published 2026-01-08

CVE-2026-22034: Snuffleupagus is a module that raises the cost of attacks against website by killing bug classes and providing a virtual patching system. On deployments of…

PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.66%
46.8th percentile
Snuffleupagus is a module that raises the cost of attacks against website by killing bug classes and providing a virtual patching system. On deployments of Snuffleupagus prior to version 0.13.0 with the non-default upload validation feature enabled and configured to use one of the upstream validation scripts based on Vulcan Logic Disassembler (VLD) while the VLD extension is not available to the CLI SAPI, all files from multipart POST requests are evaluated as PHP code. The issue was fixed in version 0.13.0.

Affected

3 ranges
VendorProductVersion rangeFixed in
debiansnuffleupagus< snuffleupagus 0.13.0-1 (forky)snuffleupagus 0.13.0-1 (forky)
jvoisinsnuffleupagus< 0.13.00.13.0
jvoisinsnuffleupagus>= 0 < 0.13.0-10.13.0-1

Detection & IOCsextracted from sources · hover to see the quote

  • All files from multipart POST requests are evaluated as PHP code when the VLD-based upload validation script is configured but the VLD extension is unavailable to the CLI SAPI — monitor for unexpected PHP execution triggered by multipart POST file uploads on affected Snuffleupagus deployments (versions prior to 0.13.0)
  • Exploitation requires the non-default upload validation feature to be enabled and configured to use a VLD-based upstream validation script — audit Snuffleupagus configurations for upload validation directives referencing VLD scripts
  • ·Vulnerability only affects deployments where the non-default upload validation feature is explicitly enabled and a VLD-based validation script is configured — default Snuffleupagus installations are NOT affected
  • ·The vulnerable condition is triggered specifically when the VLD PHP extension is absent from the CLI SAPI environment — presence of VLD in CLI SAPI prevents the vulnerable code path
  • ·Fixed in Snuffleupagus version 0.13.0 (Debian packages forky and sid resolved in 0.13.0-1)

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv9.2CRITICAL
vendor_debian9.2LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.