Description
Vvveb before version 1.0.8.2 contains an authenticated remote code execution vulnerability in the admin code editor that allows low-privilege authenticated users to execute arbitrary code through insufficient file extension restrictions, with the uploaded payload then executable via subsequent unauthenticated HTTP requests. Attackers with editor, author, contributor, or site_admin roles can write a malicious .htaccess file to map arbitrary extensions to the PHP handler, then upload PHP code with that extension to achieve unauthenticated remote code execution when the file is accessed via HTTP.
Published: 2026-05-06
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability permits low‑privilege authenticated users in Vvveb with editor, author, contributor, or site_admin roles to execute arbitrary code. By creating a malicious .htaccess file that maps an arbitrary file extension to the PHP handler and then uploading PHP code using that extension, the attacker can trigger unauthenticated remote code execution when the file is accessed through HTTP. The flaw is classified under CWE‑184 due to insufficient file extension validation.

Affected Systems

All instances of the Vvveb platform before version 1.0.8.2 are vulnerable. This includes installations packaged under the givanz:Vvveb vendor name and any custom deployments using the same code base.

Risk and Exploitability

The overall risk is high, reflected in a CVSS score of 8.7. The EPSS score is 0.00423, indicating a very low but non‑zero probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, but the attack requires only low‑privilege authenticated access. An attacker can easily exercise the editor function if they possess any of the roles mentioned, making the validation path widely available. Once the malicious code is uploaded, remote execution is achieved without additional privilege escalation, underscoring the critical nature of the vulnerability.

Generated by OpenCVE AI on May 26, 2026 at 02:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vvveb to version 1.0.8.2 or later to apply the vendor fix.
  • If an upgrade cannot be performed immediately, restrict the admin code editor to site_admin users only and modify the web server configuration to disallow execution of arbitrary file extensions, such as removing or restricting .htaccess directives that map file types to the PHP handler.
  • Revoke editor, author, and contributor roles from users who do not require code editing permissions, enforcing the principle of least privilege.

Generated by OpenCVE AI on May 26, 2026 at 02:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vvveb before version 1.0.8.2 contains an authenticated remote code execution vulnerability in the admin code editor that allows low-privilege authenticated users to execute arbitrary code by exploiting insufficient file extension restrictions. Attackers with editor, author, contributor, or site_admin roles can write a malicious .htaccess file to map arbitrary extensions to the PHP handler, then upload PHP code with that extension to achieve unauthenticated remote code execution when the file is accessed via HTTP. Vvveb before version 1.0.8.2 contains an authenticated remote code execution vulnerability in the admin code editor that allows low-privilege authenticated users to execute arbitrary code through insufficient file extension restrictions, with the uploaded payload then executable via subsequent unauthenticated HTTP requests. Attackers with editor, author, contributor, or site_admin roles can write a malicious .htaccess file to map arbitrary extensions to the PHP handler, then upload PHP code with that extension to achieve unauthenticated remote code execution when the file is accessed via HTTP.

Wed, 06 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Givanz
Givanz vvveb
Vendors & Products Givanz
Givanz vvveb

Wed, 06 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 06 May 2026 19:15:00 +0000

Type Values Removed Values Added
Description Vvveb before version 1.0.8.2 contains an authenticated remote code execution vulnerability in the admin code editor that allows low-privilege authenticated users to execute arbitrary code by exploiting insufficient file extension restrictions. Attackers with editor, author, contributor, or site_admin roles can write a malicious .htaccess file to map arbitrary extensions to the PHP handler, then upload PHP code with that extension to achieve unauthenticated remote code execution when the file is accessed via HTTP.
Title Vvveb < 1.0.8.2 Authenticated RCE via Code Editor
Weaknesses CWE-184
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Givanz Vvveb
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-25T23:42:18.135Z

Reserved: 2026-04-22T18:50:43.620Z

Link: CVE-2026-41934

cve-icon Vulnrichment

Updated: 2026-05-06T19:16:54.660Z

cve-icon NVD

Status : Deferred

Published: 2026-05-06T19:16:37.417

Modified: 2026-05-26T00:16:55.803

Link: CVE-2026-41934

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T02:45:40Z

Weaknesses