Description
Vvveb before 1.0.8.3 contains a directory listing information disclosure vulnerability that allows unauthenticated attackers to enumerate files and directories by accessing multiple paths lacking proper index directives in .htaccess files. Attackers can access directories such as admin asset paths, plugins, themes, and media folders to view filenames, file sizes, modification timestamps, and unrendered admin templates containing sensitive route maps.
Published: 2026-05-14
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Vvveb before version 1.0.8.3 is susceptible to directory listing information disclosure. The absence of proper index directives in .htaccess files allows unauthenticated attackers to access multiple directories, revealing file names, sizes, modification times, and even unrendered admin templates that contain sensitive route information. This flaw primarily results in a confidentiality breach, exposing internal structure and potential configuration details of the application.

Affected Systems

The affected product is Vvveb, versions earlier than 1.0.8.3. Attackers can enumerate directories such as admin asset paths, plugins, themes, and media folders, which may contain code and data critical to the application’s operation.

Risk and Exploitability

The CVSS score of 6.9 indicates medium to high risk. The EPSS score is not available, and the vulnerability is not currently listed in the CISA KEV catalog. Because the flaw is exploitable without authentication and can be triggered via standard HTTP requests to publicly accessible URLs, the likely attack vector is remote over the web. An attacker may simply access exposed paths to gather sensitive information.

Generated by OpenCVE AI on May 14, 2026 at 16:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vvveb to version 1.0.8.3 or later to eliminate the directory listing flaw.
  • Add ‘Options -Indexes’ to the .htaccess files of admin, plugins, themes, and media directories to disable directory indexing.
  • Monitor incoming requests for patterns of directory listing attempts and implement rules to block such traffic.

Generated by OpenCVE AI on May 14, 2026 at 16:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Givanz
Givanz vvveb
Vendors & Products Givanz
Givanz vvveb

Thu, 14 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description Vvveb before 1.0.8.3 contains a directory listing information disclosure vulnerability that allows unauthenticated attackers to enumerate files and directories by accessing multiple paths lacking proper index directives in .htaccess files. Attackers can access directories such as admin asset paths, plugins, themes, and media folders to view filenames, file sizes, modification timestamps, and unrendered admin templates containing sensitive route maps.
Title Vvveb < 1.0.8.3 Directory Listing Information Disclosure
Weaknesses CWE-548
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Givanz Vvveb
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-14T15:59:01.429Z

Reserved: 2026-04-22T18:50:43.620Z

Link: CVE-2026-41933

cve-icon Vulnrichment

Updated: 2026-05-14T15:58:55.333Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T15:16:45.873

Modified: 2026-05-14T16:24:56.240

Link: CVE-2026-41933

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T17:00:14Z

Weaknesses