PatchSiren cyber security CVE debrief
CVE-2026-22315 Mesalvo CVE debrief
CVE-2026-22315 describes an incorrect privilege assignment issue in the Meona Client Launcher Component and Meona Server Component that can allow export of user data, including cleartext passwords, via the SQL editor. The supplied NVD record rates the issue HIGH with CVSS 3.1 vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, indicating remote reachability but requiring high privileges. The affected ranges in the source data are Meona Client Launcher Component through 19.06.2020 15:11:49 and Meona Server Component through 2025.04 5+323020.
- Vendor
- Mesalvo
- Product
- Meona Client Launcher Component
- CVSS
- HIGH 7.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-20
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-20
- Advisory updated
- 2026-05-20
Who should care
Security teams, application administrators, database administrators, and identity/access-management owners responsible for Meona Client Launcher or Meona Server deployments. Environments where privileged users can access the SQL editor should treat this as a sensitive data exposure risk.
Technical summary
The vulnerability is categorized as incorrect privilege assignment (CWE-266 in the supplied source metadata). According to the NVD-linked source, the SQL editor can be used to export user data, including cleartext passwords, when the affected Meona components are deployed at or below the listed versions. Because the CVSS vector requires high privileges, the primary risk is abuse of overly broad administrative access rather than unauthenticated exploitation.
Defensive priority
High for environments that expose the SQL editor or store sensitive user data in Meona; the exposure includes cleartext passwords, which can require urgent containment if privileged accounts are too widely shared or compromised.
Recommended defensive actions
- Inventory Meona Client Launcher and Meona Server versions and compare them against the affected ranges in the CVE record.
- Restrict SQL editor access to the smallest possible set of trusted administrators.
- Review role mappings and privilege assignments for overbroad access to export functionality.
- Disable or limit data export paths where feasible until the vendor provides a verified fix or guidance.
- Audit logs for SQL editor use and unusual export activity, especially by privileged accounts.
- If any password data may have been exported, rotate exposed credentials and assess whether other secrets were included.
- Track the official CVE/NVD records and vendor guidance for updated fixed versions or compensating controls.
Evidence notes
This debrief is based only on the supplied NVD record, the official CVE/NVD links, and the referenced Seccore blog entry cited in the NVD metadata. The NVD record shown in the corpus lists the vulnerability status as Deferred and includes the CVSS vector and weakness mapping used here. No KEV entry was provided in the source corpus.
Official resources
-
CVE-2026-22315 CVE record
CVE.org
-
CVE-2026-22315 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
a6d3dc9e-0591-4a13-bce7-0f5b31ff6158
Publicly disclosed in the CVE/NVD record on 2026-05-20; the supplied NVD metadata also shows a same-day modification at 2026-05-20T14:03:10.193Z. No KEV listing was included in the provided corpus.