Description
Vvveb before version 1.0.8.2 contains an information disclosure vulnerability that allows unauthenticated attackers to obtain sensitive server information by triggering unhandled exceptions in the password-reset module. Attackers can access the admin password-reset endpoint to trigger a fatal error caused by a missing namespace import, which exposes the absolute server file path, internal class namespaces, line numbers, and source code excerpts through the debug exception handler rendered to unauthenticated requests.
Published: 2026-05-06
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Vvveb before version 1.0.8.2 contains a flaw in the debug exception handling that discloses server information when an unhandled exception is triggered. The vulnerability is activated by sending a request to the admin password‑reset endpoint, causing a fatal error due to a missing namespace import. The default debug handler renders the exception details to any unauthenticated user, exposing absolute file paths, internal class namespaces, line numbers, and code excerpts. The result is a classic information‑disclosure scenario that gives attackers insight into the application’s structure and environment.

Affected Systems

The vulnerable system is the Vvveb content management system from the vendor givanz. All installations using a version older than release 1.0.8.2 are susceptible. The vulnerability specifically involves the password‑reset module and any publicly exposed admin endpoints that invoke it.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. Attackers can exploit this flaw via unauthenticated HTTP requests to the password‑reset endpoint, which is typically accessible over the web. No privileged access is required, so the risk is broadened to any user with network connectivity. The EPSS score is unavailable, and the vulnerability is not listed in the CISA KEV catalog, but these factors do not diminish the potential impact of the disclosed information.

Generated by OpenCVE AI on May 6, 2026 at 21:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Vvveb to version 1.0.8.2 or later to remove the exposed exception handler.
  • If an update cannot be applied immediately, restrict access to the admin password‑reset endpoint so that only authenticated administrators can invoke it.
  • Configure the application or hosting environment to suppress detailed error messages in production, ensuring that debug exception data is not rendered to unauthenticated users.

Generated by OpenCVE AI on May 6, 2026 at 21:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Givanz
Givanz vvveb
Vendors & Products Givanz
Givanz vvveb

Wed, 06 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 19:15:00 +0000

Type Values Removed Values Added
Description Vvveb before version 1.0.8.2 contains an information disclosure vulnerability that allows unauthenticated attackers to obtain sensitive server information by triggering unhandled exceptions in the password-reset module. Attackers can access the admin password-reset endpoint to trigger a fatal error caused by a missing namespace import, which exposes the absolute server file path, internal class namespaces, line numbers, and source code excerpts through the debug exception handler rendered to unauthenticated requests.
Title Vvveb < 1.0.8.2 Information Disclosure via Debug Exception Handler
Weaknesses CWE-1188
CWE-209
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Givanz Vvveb
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-06T19:42:17.377Z

Reserved: 2026-04-22T18:50:43.620Z

Link: CVE-2026-41931

cve-icon Vulnrichment

Updated: 2026-05-06T19:40:06.364Z

cve-icon NVD

Status : Deferred

Published: 2026-05-06T19:16:37.277

Modified: 2026-05-06T20:16:32.670

Link: CVE-2026-41931

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T22:30:13Z

Weaknesses