QwikSec

Security Database

CVE

CWE

Training

CVE-2026-22034

Published: Jan 8, 2026

Modified: Jan 8, 2026

PUBLISHED

Description

Snuffleupagus is a module that raises the cost of attacks against website by killing bug classes and providing a virtual patching system. On deployments of Snuffleupagus prior to version 0.13.0 with the non-default upload validation feature enabled and configured to use one of the upstream validation scripts based on Vulcan Logic Disassembler (VLD) while the VLD extension is not available to the CLI SAPI, all files from multipart POST requests are evaluated as PHP code. The issue was fixed in version 0.13.0.

Vendor	Product	Versions
jvoisin	snuffleupagus	affected `< 0.13.0`

Weaknesses (CWE)

References

https://github.com/jvoisin/snuffleupagus/security/advisories/GHSA-c4ch-xw5p-2mvc

x_refsource_CONFIRM

https://github.com/jvoisin/snuffleupagus/commit/9278dc77bab2a219e770a1b31dd6797bc9070e37

x_refsource_MISC

https://github.com/jvoisin/snuffleupagus/blob/9278dc77bab2a219e770a1b31dd6797bc9070e37/src/sp_upload_validation.c#L92-L100

x_refsource_MISC

https://github.com/jvoisin/snuffleupagus/blob/v0.12.0/scripts/upload_validation.php

x_refsource_MISC

https://github.com/jvoisin/snuffleupagus/blob/v0.12.0/scripts/upload_validation.py

x_refsource_MISC

https://github.com/php/php-src/blob/e4098da58a9eaee759d728d98a27d809cde37671/ext/standard/dl.c#L165-L166

x_refsource_MISC

https://github.com/php/php-src/blob/e4098da58a9eaee759d728d98a27d809cde37671/main/rfc1867.c#L1269-L1274

x_refsource_MISC

https://snuffleupagus.readthedocs.io/config.html#upload-validation

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.