Vvveb versions prior to 1.0.8.2 contain an XML External Entity (XXE) injection flaw in the Admin Tools/Import functionality. The vulnerability is active only for authenticated site_admin users and allows them to craft XML payloads that refer to file:// or php://filter entity references. When processed by the application’s XML parser, these references are resolved and the resulting data is persisted to the database. Consequently, attackers can read arbitrary files on the hosting server and overwrite critical database records, including the administrator password hash, enabling full privilege escalation. The weakness is classified as CWE‑611 and can lead to both confidentiality and integrity compromise.

The affected product is Vvveb as provided by the vendor givanz. All deployments using any Vvveb release earlier than 1.0.8.2 are vulnerable. No additional sub‑versions are specified beyond the stated cutoff.

The CVSS score of 8.6 indicates a high severity risk. EPSS data is unavailable, and the vulnerability is not currently listed in the CISA KEV catalog. Exploitation requires the attacker to be logged in as a site_admin, making the assault an authenticated attack. Attackers can construct malicious XML imports, trigger the parser to resolve external entities, and thereby access local files or modify protected database entries. Because the flaw permits both arbitrary file disclosure and password hash overwriting, the impact ranges from confidential data exposure to full administrative takeover. The primary attack vector is through the Import feature within the administrative interface, leveraging the XML parser configuration. Given the high CVSS score and the vulnerable functionality’s privileged nature, the risk to affected sites is significant.