Description
Vvveb before version 1.0.8.2 contains an authenticated remote code execution vulnerability in the admin code editor that allows low-privilege authenticated users to execute arbitrary code by exploiting insufficient file extension restrictions. Attackers with editor, author, contributor, or site_admin roles can write a malicious .htaccess file to map arbitrary extensions to the PHP handler, then upload PHP code with that extension to achieve unauthenticated remote code execution when the file is accessed via HTTP.
Published: 2026-05-06
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw permits an authenticated user with editor, author, contributor, or site_admin privileges in Vvveb to execute arbitrary code. By crafting a malicious .htaccess file that maps a non‑PHP file extension to the PHP handler and then uploading PHP code with that extension, the attacker can trigger unauthenticated remote code execution when the file is accessed over HTTP. The weakness is classified under CWE-184, indicating insufficient file extension validation and control.

Affected Systems

All instances of the Vvveb platform before version 1.0.8.2 are vulnerable. This includes installations packaged under the givanz:Vvveb vendor name and any custom deployments using the same code base.

Risk and Exploitability

The overall risk is high, reflected in a CVSS score of 8.7. Although no EPSS score is published and the vulnerability is not listed in the CISA KEV catalog, the attack requires only low‑privilege authenticated access. An attacker can easily exercise the editor function if they possess any of the roles mentioned, making the validation path widely available. Once the malicious code is uploaded, remote execution is achieved without additional privilege escalation, underscoring the critical nature of the vulnerability.

Generated by OpenCVE AI on May 6, 2026 at 20:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vvveb to version 1.0.8.2 or later to remove the missing file extension restriction.
  • If immediate upgrade is not possible, modify the admin code editor configuration to disallow the creation of .htaccess files and enforce strict file extension checks for uploaded content.
  • Restrict upload and editing capabilities to only site_admin users, removing editor, author, and contributor permissions for code‑upload features until a patch is applied.

Generated by OpenCVE AI on May 6, 2026 at 20:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Givanz
Givanz vvveb
Vendors & Products Givanz
Givanz vvveb

Wed, 06 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 06 May 2026 19:15:00 +0000

Type Values Removed Values Added
Description Vvveb before version 1.0.8.2 contains an authenticated remote code execution vulnerability in the admin code editor that allows low-privilege authenticated users to execute arbitrary code by exploiting insufficient file extension restrictions. Attackers with editor, author, contributor, or site_admin roles can write a malicious .htaccess file to map arbitrary extensions to the PHP handler, then upload PHP code with that extension to achieve unauthenticated remote code execution when the file is accessed via HTTP.
Title Vvveb < 1.0.8.2 Authenticated RCE via Code Editor
Weaknesses CWE-184
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Givanz Vvveb
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-06T19:16:58.180Z

Reserved: 2026-04-22T18:50:43.620Z

Link: CVE-2026-41934

cve-icon Vulnrichment

Updated: 2026-05-06T19:16:54.660Z

cve-icon NVD

Status : Deferred

Published: 2026-05-06T19:16:37.417

Modified: 2026-05-06T19:20:35.690

Link: CVE-2026-41934

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T23:30:15Z

Weaknesses