CVE-2026-22194 HIGH

CVE-2026-22194: GestSup <= 3.2.60 CSRF Allows Privileged Actions

Vendor Gestsup
Product GestSup
Weakness CWE-352 · CSRF
Published January 9, 2026
Last update May 25, 2026

CVSS base score

8.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:H/SA:H

What the vulnerability does

01Description

GestSup versions up to and including 3.2.60 contain a cross-site request forgery (CSRF) vulnerability where the application does not verify the authenticity of client requests. An attacker can induce a logged-in user to submit crafted requests that perform actions with the victim's privileges. This can be exploited to create privileged accounts by targeting the administrative user creation endpoint.

Key dates

02Disclosure timeline

January 9, 2026 CVE published
May 25, 2026 Record updated