Description
Vvveb before version 1.0.8.2 contains a hard-coded credentials vulnerability in its docker-compose-apache.yaml configuration that allows unauthenticated attackers to access the bundled phpMyAdmin container with pre-configured database credentials. Attackers can connect to the phpMyAdmin port to gain unrestricted read and write access to the entire Vvveb database, including administrator password hashes, customer personally identifiable information, and order data, enabling account takeover and data manipulation.
Published: 2026-05-06
Score: 9.2 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Vvveb versions earlier than 1.0.8.2 store hard‑coded administrator credentials in a docker‑compose configuration that launches a phpMyAdmin container. Because the credentials are embedded, an unauthenticated attacker who can reach the phpMyAdmin port can log in automatically, gaining unrestricted read and write privileges against the entire Vvveb database. This enables retrieval of administrator password hashes, customer personal data, and order information, and permits arbitrary data modification, leading to account takeover and data tampering. The weakness is categorized as CWE‑306.

Affected Systems

The affected product is Vvveb supplied by givanz. Any installation that uses the bundled phpMyAdmin container and remains at a version prior to 1.0.8.2 is vulnerable. Deployments that have upgraded to 1.0.8.2 or later have removed the hard‑coded credentials and are not affected.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.2, indicating critical severity. EPSS data is not available, but the lack of a KEV listing does not diminish the potential for exploitation. Attackers can reach the phpMyAdmin service from any network that exposes the container, then connect to the database with full privilege, exfiltrating or altering sensitive data. The exploitation requires no prior authentication, so it is accessible to any remote actor.

Generated by OpenCVE AI on May 6, 2026 at 21:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vvveb to version 1.0.8.2 or later, which removes the hard‑coded credentials.
  • If an upgrade cannot be performed immediately, isolate the phpMyAdmin container by blocking external access to its port or remove the container entirely to prevent unauthenticated connections.
  • For custom docker‑compose deployments, replace the embedded credentials with secure, randomly generated values and enforce authentication for the phpMyAdmin interface before deploying the container.

Generated by OpenCVE AI on May 6, 2026 at 21:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Givanz
Givanz vvveb
Vendors & Products Givanz
Givanz vvveb

Wed, 06 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 06 May 2026 19:15:00 +0000

Type Values Removed Values Added
Description Vvveb before version 1.0.8.2 contains a hard-coded credentials vulnerability in its docker-compose-apache.yaml configuration that allows unauthenticated attackers to access the bundled phpMyAdmin container with pre-configured database credentials. Attackers can connect to the phpMyAdmin port to gain unrestricted read and write access to the entire Vvveb database, including administrator password hashes, customer personally identifiable information, and order data, enabling account takeover and data manipulation.
Title Vvveb < 1.0.8.2 Hard-coded Credentials Information Disclosure via phpMyAdmin
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Givanz Vvveb
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-06T19:34:56.694Z

Reserved: 2026-04-22T18:50:43.620Z

Link: CVE-2026-41930

cve-icon Vulnrichment

Updated: 2026-05-06T19:34:12.930Z

cve-icon NVD

Status : Deferred

Published: 2026-05-06T19:16:37.130

Modified: 2026-05-06T20:16:32.540

Link: CVE-2026-41930

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T22:30:13Z

Weaknesses