Vvveb before 1.0.8.3 contains an uncontrolled recursion in the admin controller dispatch cycle where Base::init() repeatedly calls permission() on error handlers, which creates an infinite loop until PHP memory limits are reached. The result is a denial of service that can affect all PHP workers. The vulnerability is classified by CWE-674 (Infinite Recursion) and CWE-209 (Information Exposure, though not directly exploited). Attackers can invoke the flaw by sending sustained requests to forbidden admin URLs from a low‑privilege account, exhausting system memory and blocking legitimate traffic. The impact is loss of availability for all users or services relying on the affected PHP processes.

The affected product is the Vvveb content‑management system provided by the vendor givanz, with all releases older than 1.0.8.3 impacted. The advisory references the 1.0.8.3 release as the fixed version; any deployment running a pre‑1.0.8.3 build is vulnerable.

The CVSS score of 7.1 indicates a medium to high severity, and the exploit is web‑based, requiring only that the attacker can reach the admin URL space and hold a low‑privilege account. The EPSS score is not available, so the current probability of exploitation is unclear. The vulnerability is not listed in the CISA KEV catalog. Because the flaw relies on repeated memory consumption, the attack vector is sustained, low‑privilege web requests. Successful exploitation can exhaust PHP memory on all workers and result in denial of service for legitimate users.