Description
Vvveb before version 1.0.8.2 contains an unrestricted file upload vulnerability in the media upload handler that allows authenticated users with media-upload permissions to bypass extension restrictions by uploading a .htaccess file to map .phtml extensions to the PHP handler. Attackers can upload a .phtml file containing arbitrary PHP code and trigger execution by sending an unauthenticated HTTP GET request to the uploaded file, resulting in remote code execution with web server privileges.
Published: 2026-05-06
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Vvveb versions older than 1.0.8.2 allow an authenticated user with media‑upload permission to upload a .htaccess file that redefines .phtml as a PHP handler. The attacker can then upload a .phtml file containing arbitrary PHP code and execute it through an unauthenticated HTTP GET request, achieving remote code execution with web‑server privileges. The flaw is a classic file‑upload bypass (CWE‑434).

Affected Systems

The vulnerability affects the Vvveb CMS developed by givanz. Any installation on a server running Vvveb earlier than release 1.0.8.2 is susceptible.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity, while the EPSS score is not available. The flaw is not listed in the CISA KEV catalog. Inference indicates that an attacker must first obtain authentication with media‑upload rights; however, once the malicious file is placed, a simple unauthenticated request can trigger execution, giving the attacker full web‑server code‑execution capabilities. The risk is therefore high for authenticated insiders or compromised accounts.

Generated by OpenCVE AI on May 6, 2026 at 21:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Vvveb to version 1.0.8.2 or later.
  • Disable media upload functionality temporarily to prevent exploitation.
  • Enforce server‑side validation to reject .phtml files and restrict .htaccess uploads.

Generated by OpenCVE AI on May 6, 2026 at 21:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Givanz
Givanz vvveb
Vendors & Products Givanz
Givanz vvveb

Wed, 06 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 06 May 2026 19:15:00 +0000

Type Values Removed Values Added
Description Vvveb before version 1.0.8.2 contains an unrestricted file upload vulnerability in the media upload handler that allows authenticated users with media-upload permissions to bypass extension restrictions by uploading a .htaccess file to map .phtml extensions to the PHP handler. Attackers can upload a .phtml file containing arbitrary PHP code and trigger execution by sending an unauthenticated HTTP GET request to the uploaded file, resulting in remote code execution with web server privileges.
Title Vvveb < 1.0.8.2 RCE via Media Upload Handler
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Givanz Vvveb
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-06T19:25:41.446Z

Reserved: 2026-04-22T18:50:43.621Z

Link: CVE-2026-41938

cve-icon Vulnrichment

Updated: 2026-05-06T19:25:38.105Z

cve-icon NVD

Status : Deferred

Published: 2026-05-06T19:16:37.680

Modified: 2026-05-06T20:16:32.993

Link: CVE-2026-41938

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T22:30:13Z

Weaknesses