CVE-2026-22194

Name of the Vulnerable Software and Affected Versions GestSup versions up to and including 3.2.56

Description The application does not verify the authenticity of client requests, leading to a cross-site request forgery condition. An attacker can potentially trick a logged-in user into submitting malicious requests, allowing the attacker to perform actions with the user's permissions. Specifically, this can be used to create privileged accounts by targeting the administrative user creation endpoint ''/admin/createUser''. The createUser() function is vulnerable to this attack.

Recommendations Versions prior to 3.2.56 are recommended to be used.