CVE-2026-22194 PUBLISHED

GestSup <= 3.2.56 CSRF Allows Privileged Actions

Assigner: VulnCheck
Reserved: 06.01.2026 Published: 09.01.2026 Updated: 14.01.2026

GestSup versions up to and including 3.2.60 contain a cross-site request forgery (CSRF) vulnerability where the application does not verify the authenticity of client requests. An attacker can induce a logged-in user to submit crafted requests that perform actions with the victim's privileges. This can be exploited to create privileged accounts by targeting the administrative user creation endpoint.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:H/SA:H
CVSS Score: 8.9

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	Low
Attack Complexity	Low	Integrity	High	Integrity	High
Attack Requirements	Present	Availability	High	Availability	High
Privileges Required	None
User Interaction	Passive

CVSS 4.0

Product Status

Vendor	GestSup
Product	GestSup
Versions	Default: unknown affected from 0 to 3.2.60 (incl.)

CVE-2026-22194 PUBLISHED

GestSup <= 3.2.56 CSRF Allows Privileged Actions

Metrics

Product Status

Credits

References

Problem Types