CVE-2026-22558

Published Mar 19, 2026

Last updated a month ago

CVSS high 7.7
Network

Overview

Description
An Authenticated NoSQL Injection vulnerability found in UniFi Network Application could allow a malicious actor with authenticated access to the network to escalate privileges.
Source
support@hackerone.com
NVD status
Deferred

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.7
Impact score
4
Exploitability score
3.1
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Severity
HIGH

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-943

Social media

Hype score
Not currently trending

Related CVEs

  1. Palo Alto Networks PAN-OS Authentication Bypass VulnerabilityCVE-2026-0257
  2. Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate privileges over a network.CVE-2026-40372
  3. A vulnerability in Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. To exploit this vulnerability, the attacker must have valid administrative credentials. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. In single-node ISE deployments, successful exploitation of this vulnerability could cause the affected ISE node to become unavailable, resulting in a denial of service (DoS) condition. In that condition, endpoints that have not already authenticated would be unable to access the network until the node is restored.CVE-2026-20147
  4. Concurrent execution using shared resource with improper synchronization ('race condition') in Windows TCP/IP allows an unauthorized attacker to execute code over a network.CVE-2026-33827
  5. Double free in Windows IKE Extension allows an unauthorized attacker to execute code over a network.CVE-2026-33824

References

Sources include official advisories and independent security research.