Description
Vvveb before 1.0.8.2 contains an information disclosure vulnerability in the cron controller that allows unauthenticated attackers to retrieve the application's secret cron key. Attackers can access the cron controller without authentication and retrieve the exposed secret key from the response, enabling them to trigger scheduled task execution outside of the intended schedule.
Published: 2026-05-07
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows unauthenticated attackers to retrieve the application's secret cron key via the cron controller, exposing sensitive configuration. This disclosure can enable attackers to trigger scheduled tasks outside the intended schedule, potentially leading to unauthorized code execution or data manipulation.

Affected Systems

The issue affects the Vvveb content management system from givanz, versions older than 1.0.8.2. After 1.0.8.2 the cron key is no longer publicly exposed. The vulnerability is limited to the cron controller endpoint and does not require pre‑existing authentication.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium risk, and the vulnerability is exploitable over the network by anyone who can reach the cron controller endpoint. There is currently no EPSS data and the flaw is not listed in the KEV catalog. Attackers can simply request the cron controller URL and capture the exposed key. Once the key is known, they can invoke the cron job API to execute tasks at will, bypassing normal scheduling controls.

Generated by OpenCVE AI on May 7, 2026 at 22:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vvveb to version 1.0.8.2 or newer, which removes the cron key expose.
  • Confirm that the cron controller endpoint requires authentication or is disabled in production environments, ensuring that only authorized users can access it.
  • Review and restrict the permissions of scheduled tasks, removing any that are unnecessary or have high privilege, to reduce potential impact if the cron key is compromised.

Generated by OpenCVE AI on May 7, 2026 at 22:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Givanz
Givanz vvveb
Vendors & Products Givanz
Givanz vvveb

Thu, 07 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description Vvveb before 1.0.8.2 contains an information disclosure vulnerability in the cron controller that allows unauthenticated attackers to retrieve the application's secret cron key. Attackers can access the cron controller without authentication and retrieve the exposed secret key from the response, enabling them to trigger scheduled task execution outside of the intended schedule.
Title Vvveb < 1.0.8.2 Information Disclosure via Cron Controller
Weaknesses CWE-497
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Givanz Vvveb
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-07T21:13:13.870Z

Reserved: 2026-04-22T18:50:43.620Z

Link: CVE-2026-41928

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-07T22:16:35.313

Modified: 2026-05-07T22:16:35.313

Link: CVE-2026-41928

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T22:30:36Z

Weaknesses