Description
Vvveb before version 1.0.8.2 contains an unrestricted file upload vulnerability in the media upload handler that allows authenticated users with media-upload permissions to bypass extension restrictions by uploading a .htaccess file to map .phtml extensions to the PHP handler. Attackers can upload a .phtml file containing arbitrary PHP code and execute the uploaded payload through a subsequent unauthenticated HTTP GET request to the uploaded file, resulting in remote code execution with web server privileges.
Published: 2026-05-06
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Vvveb versions earlier than 1.0.8.2 contain an unrestricted file upload vulnerability in the media upload handler. Authenticated users with media‑upload privileges can bypass extension restrictions by uploading a .htaccess file that maps .phtml extensions to the PHP handler. The attacker can then upload a .phtml file with arbitrary PHP code and trigger execution via a subsequent unauthenticated HTTP GET request, resulting in remote code execution with web‑server privileges. The flaw is identified as a file‑upload bypass (CWE‑434).

Affected Systems

The vulnerability affects the Vvveb CMS developed by givanz. Any installation on a server running Vvveb earlier than release 1.0.8.2 is susceptible.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity, while the EPSS score of 0.0009 indicates a very low but non‑zero exploitation probability. The flaw is not listed in the CISA KEV catalog. Inference indicates that an attacker must first obtain authentication with media‑upload rights; however, once the malicious file is placed, a simple unauthenticated request can trigger execution, giving the attacker full web‑server code‑execution capabilities. The risk is therefore high for authenticated insiders or compromised accounts.

Generated by OpenCVE AI on May 26, 2026 at 02:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Vvveb to version 1.0.8.2 or later.
  • Disable media upload functionality temporarily to prevent exploitation.
  • Enforce server‑side validation to reject .phtml files and restrict .htaccess uploads.

Generated by OpenCVE AI on May 26, 2026 at 02:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vvveb before version 1.0.8.2 contains an unrestricted file upload vulnerability in the media upload handler that allows authenticated users with media-upload permissions to bypass extension restrictions by uploading a .htaccess file to map .phtml extensions to the PHP handler. Attackers can upload a .phtml file containing arbitrary PHP code and trigger execution by sending an unauthenticated HTTP GET request to the uploaded file, resulting in remote code execution with web server privileges. Vvveb before version 1.0.8.2 contains an unrestricted file upload vulnerability in the media upload handler that allows authenticated users with media-upload permissions to bypass extension restrictions by uploading a .htaccess file to map .phtml extensions to the PHP handler. Attackers can upload a .phtml file containing arbitrary PHP code and execute the uploaded payload through a subsequent unauthenticated HTTP GET request to the uploaded file, resulting in remote code execution with web server privileges.

Wed, 06 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Givanz
Givanz vvveb
Vendors & Products Givanz
Givanz vvveb

Wed, 06 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 06 May 2026 19:15:00 +0000

Type Values Removed Values Added
Description Vvveb before version 1.0.8.2 contains an unrestricted file upload vulnerability in the media upload handler that allows authenticated users with media-upload permissions to bypass extension restrictions by uploading a .htaccess file to map .phtml extensions to the PHP handler. Attackers can upload a .phtml file containing arbitrary PHP code and trigger execution by sending an unauthenticated HTTP GET request to the uploaded file, resulting in remote code execution with web server privileges.
Title Vvveb < 1.0.8.2 RCE via Media Upload Handler
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Givanz Vvveb
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-25T23:42:19.591Z

Reserved: 2026-04-22T18:50:43.621Z

Link: CVE-2026-41938

cve-icon Vulnrichment

Updated: 2026-05-06T19:25:38.105Z

cve-icon NVD

Status : Deferred

Published: 2026-05-06T19:16:37.680

Modified: 2026-05-26T00:16:56.053

Link: CVE-2026-41938

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T02:15:16Z

Weaknesses