CVE-2026-22903 CRITICAL

CVE-2026-22903: Stack Overflow via SESSIONID Cookie in lighttpd

Vendor Wago
Product 0852-1322
Weakness CWE-121
Published February 9, 2026
Last update February 9, 2026

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

An unauthenticated remote attacker can send a crafted HTTP request containing an overly long SESSIONID cookie. This can trigger a stack buffer overflow in the modified lighttpd server, causing it to crash and potentially enabling remote code execution due to missing stack protections.

Key dates

02Disclosure timeline

February 9, 2026 CVE published
February 9, 2026 Record updated