CVE-2026-22903
published 2026-02-09CVE-2026-22903: An unauthenticated remote attacker can send a crafted HTTP request containing an overly long SESSIONID cookie. This can trigger a stack buffer overflow in the…
critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
An unauthenticated remote attacker can send a crafted HTTP request containing an overly long SESSIONID cookie. This can trigger a stack buffer overflow in the modified lighttpd server, causing it to crash and potentially enabling remote code execution due to missing stack protections.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wago | 0852-1322 | — | — |
| wago | 0852-1322 | 0.0.0 – 2.64 | — |
| wago | 0852-1328 | — | — |
| wago | 0852-1328 | 0.0.0 – 2.64 | — |