Description
Vvveb prior to 1.0.8.1 contains a privilege escalation vulnerability in the admin user profile save endpoint that allows authenticated users to modify privileged fields on their own profile. Attackers can inject role_id=1 into profile save requests to escalate to Super Administrator privileges, enabling plugin upload functionality for remote code execution.
Published: 2026-04-20
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation to Super Administrator, enabling plugin upload and remote code execution
Action: Patch Immediately
AI Analysis

Impact

Vvveb prior to version 1.0.8.1 contains a flaw in the admin user profile save endpoint that allows an authenticated user to inject a role_id value of 1 into profile save requests. The resulting change elevates the attacker to Super Administrator status, which in turn provides access to plugin upload functionality and enables remote code execution. This weakness is mapped to CWE-915 (Insufficient Authorization).

Affected Systems

The affected product is Vvveb, with all releases older than 1.0.8.1 vulnerable. Users running these versions should consider the software current as unpatched.

Risk and Exploitability

The vulnerability has a CVSS score of 8.7, indicating a high severity risk. EPSS data is not available, and the issue is not listed in the CISA KEV catalog, suggesting that it is not known to be actively exploited in the wild yet, but the potential for privilege escalation and subsequent remote code execution makes it a critical concern. An attacker must first authenticate, then send a crafted request to the admin/user/save endpoint; successful exploitation results in super user privileges and the ability to upload malicious plugins.

Generated by OpenCVE AI on April 20, 2026 at 15:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vvveb to version 1.0.8.1 or newer, which removes the privilege escalation vulnerability.
  • Modify the admin/user/save endpoint to enforce strict authorization checks so that only users already holding Super Administrator privileges can alter the role_id field. This prevents lower‑level accounts from escalating privileges.
  • Disable plugin upload capabilities or restrict them to verified administrators until the patch is applied, and monitor for any unauthorized privilege changes or plugin submissions.

Generated by OpenCVE AI on April 20, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Givanz
Givanz vvveb
Vendors & Products Givanz
Givanz vvveb

Mon, 20 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Vvveb prior to 1.0.8.1 contains a privilege escalation vulnerability in the admin user profile save endpoint that allows authenticated users to modify privileged fields on their own profile. Attackers can inject role_id=1 into profile save requests to escalate to Super Administrator privileges, enabling plugin upload functionality for remote code execution.
Title Vvveb < 1.0.8.1 Privilege Escalation via admin/user/save
Weaknesses CWE-915
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Givanz Vvveb
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-20T14:51:12.245Z

Reserved: 2026-03-27T15:24:06.752Z

Link: CVE-2026-34427

cve-icon Vulnrichment

Updated: 2026-04-20T14:50:59.727Z

cve-icon NVD

Status : Deferred

Published: 2026-04-20T16:16:44.250

Modified: 2026-04-20T18:54:59.077

Link: CVE-2026-34427

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T15:30:06Z

Weaknesses