CVE-2026-22788

HighPublic PoC

Published: 12 January 2026

Published

12 January 2026

Modified

21 January 2026

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

EPSS Score 0.0036 57.9th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

WebErpMesv2 is a Resource Management and Manufacturing execution system Web for industry. Prior to 1.19, the WebErpMesV2 application exposes multiple sensitive API endpoints without authentication middleware. An unauthenticated remote attacker can read business-critical data including companies, quotes, orders, tasks, and…

whiteboards. Limited write access allows creation of company records and full manipulation of collaboration whiteboards. This vulnerability is fixed in 1.19.

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

AC-14 explicitly requires defining and restricting actions permitted without identification or authentication, directly preventing exposure of sensitive API endpoints to unauthenticated attackers.

AC-3 Access Enforcement good match

prevent

AC-3 mandates enforcement of approved authorizations for access to system resources, ensuring authentication middleware blocks unauthorized reads and writes on critical APIs.

IA-2 Identification and Authentication (Organizational Users) good match

prevent

IA-2 requires identification and authentication of users before accessing system resources, directly mitigating unauthenticated access to business-critical data and manipulation functions.

Security SummaryAI

CVE-2026-22788 affects WebErpMesv2, an open-source web-based Resource Management and Manufacturing Execution System designed for industrial use. In versions prior to 1.19, the application exposes multiple sensitive API endpoints without authentication middleware, violating CWE-306 (Missing Authentication for Critical Function). This flaw, assigned a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), enables unauthorized access to critical business data and limited manipulation capabilities.

An unauthenticated remote attacker can exploit this vulnerability over the network with low complexity and no privileges required. Successful exploitation allows reading of sensitive business-critical information, such as companies, quotes, orders, tasks, and whiteboards. Additionally, attackers gain limited write access to create new company records and fully manipulate collaboration whiteboards, potentially disrupting operations or enabling further persistence.

The GitHub security advisory (GHSA-pp68-5pc2-hv7w) and associated commit (3a7ab1c95d1d1c8f7c62c84bc87b3666ecd2fa23) confirm the issue is resolved in WebErpMesv2 version 1.19, which introduces proper authentication middleware for the affected endpoints. Security practitioners should upgrade to 1.19 or later and review API access configurations.

Details

CWE(s): CWE-306

Affected Products

wem-project

wem

≤ 1.19

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability involves missing authentication on sensitive API endpoints in a public-facing web application, enabling unauthenticated remote exploitation for data access and limited manipulation, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/SMEWebify/WebErpMesv2/commit/3a7ab1c95d1d1c8f7c62c84bc87b3666ecd2fa23
Patch · security-advisories@github.com
https://github.com/SMEWebify/WebErpMesv2/security/advisories/GHSA-pp68-5pc2-hv7w
Exploit, Patch, Vendor Advisory · security-advisories@github.com
https://github.com/SMEWebify/WebErpMesv2/security/advisories/GHSA-pp68-5pc2-hv7w
Exploit, Patch, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0