CVE-2026-22313 | The device has a webserver that exposes a REST API authentic… | CVSS 9.1 CRITICAL

Description

The device has a webserver that exposes a REST API authenticated with a token on the management network. By exploiting an OS command injection vulnerability an authenticated attacker can send arbitrary commands to the device that are executed with administrative permissions by the underlying operating system.

Metadata

CVE ID: CVE-2026-22313
State: PUBLISHED
Assigner: ENISA
Reserved: 2026-01-07 09:31 UTC
Published: 2026-06-16 18:36 UTC
Last updated: 2026-06-17 15:04 UTC
Primary CWE: CWE-78
CWE-78: Improper Neutralization of Special Elements used in …
Vendor / Product: Radiflow / iSAP Smart Collector
Sources: cve.org · NVD

Severity & Metrics

9.1 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
Radiflow	iSAP Smart Collector	—	3.07-1

Weakness (CWE)

CWE	Source	Description
CWE-78	cna	CWE-78: Improper Neutralization of Special Elements used in an OS Command

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.1	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

References (1)

https://www.cvcn.gov.it/cvcn/cve/CVE-2026-22313