CVE-2026-22557 is a critical unauthenticated path traversal vulnerability in the Ubiquiti UniFi Network Application, specifically in the guest captive portal request handling under /guest/*. Available analysis indicates the vulnerable code path uses the page_error request parameter verbatim as a relative path when loading portal resources. In affected builds, the application concatenates attacker-controlled input with the portal directory path and streams the resulting file via FileInputStream without sufficient validation, canonicalization, or containment checks. A demonstrated request such as GET /guest/s/default/login?page_error=../../web.xml can disclose internal application files such as WEB-INF/web.xml. Research cited in the content further states the flaw is reachable through guest portal routes exposed not only on guest ports but also on the admin HTTPS port. Full exploitation depends on at least one UniFi site having a customized guest portal enabled, because that filesystem-backed branch exposes controller-resident files outside the intended portal directory. Affected versions reported in the content include UniFi Network Application 10.1.85 and earlier, Release Candidate 10.2.93 and earlier, and UniFi Express Network App 9.0.114 and earlier.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (4 hidden).
This repository is a small standalone proof-of-concept exploit for CVE-2026-22557 affecting the Ubiquiti UniFi Network Application guest portal. The repo contains two files: a single Python exploit script (CVE-2026-22557.py) and a README with usage examples. The Python script is the clear entry point and uses requests/urllib3 to send an unauthenticated HTTP GET request to the guest portal login endpoint, defaulting to /guest/s/default/login. It appends the page_error parameter with a relative traversal path, default ../../web.xml, and sets a crafted Referer header that imitates expected guest portal traffic. The exploit supports custom target URLs, custom guest portal paths, arbitrary file/resource paths, optional output-to-file, and optional HTTP proxying. It handles redirects and basic failure cases, and prints or saves the retrieved content when successful. The exploit’s main capability is pre-auth arbitrary file read/path traversal; it does not provide code execution, persistence, or post-exploitation features. The README states that customized guest portals may potentially allow access beyond the webapp context via a FileInputStream fallback, but this is presented as unconfirmed. Overall, this is a focused, functional PoC for unauthenticated file disclosure over the web/network attack surface.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
45 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A critical arbitrary file read / path traversal vulnerability in UniFi Network's guest portal login endpoint, where the page_error parameter can be manipulated to retrieve internal files such as WEB-INF/web.xml.
An unauthenticated path traversal vulnerability in the UniFi Network Application guest captive portal that can allow arbitrary file reads and exposure of backups, credentials, keystores, and other sensitive controller data.
A maximum severity vulnerability in the UniFi Network Application that may allow attackers to take over user accounts.
A critical path traversal vulnerability in the Ubiquiti UniFi Network Application that affects versions 10.1.85 and earlier and can allow unauthenticated file access that may lead to user account hijacking.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.