Description
Vvveb CMS 1.0.8.2 contains a remote code execution vulnerability in its media upload handler that allows authenticated attackers to execute arbitrary operating system commands by uploading a PHP webshell with a .phtml extension. Attackers can bypass the extension deny-list and upload malicious files to the publicly accessible media directory, then request the file over HTTP to achieve full server compromise.
Published: 2026-04-20
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Vvveb CMS 1.0.8.2 contains a remote code execution vulnerability in its media upload handler that permits an authenticated attacker to upload a PHP webshell with a .phtml extension by bypassing the extension deny‑list. By placing the malicious file in the publicly accessible media directory and invoking it over HTTP, the attacker can execute arbitrary operating system commands and achieve full server compromise.

Affected Systems

The affected product is Vvveb CMS 1.0.8.2. No other versions or variants are listed; the vulnerability specifically applies to this release.

Risk and Exploitability

The CVSS score of 8.7 classifies the flaw as high severity, and the EPSS score of < 1% indicates a very low probability of exploitation; the vulnerability is not listed in CISA’s KEV catalog. Because the attack requires authentication to upload a file, an adversary must first gain valid credentials or otherwise bypass authentication before exploiting the flaw. Once authenticated, the attack path is straightforward: upload a PHP webshell disguised as .phtml, bypass the deny‑list, store the file in the media directory, and then retrieve it via an HTTP request to trigger command execution.

Generated by OpenCVE AI on May 6, 2026 at 22:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Vvveb CMS release that includes the fix for the media upload RCE vulnerability.
  • Restrict media uploads to safe file types and remove .phtml and other executable extensions from the allowed list.
  • Configure the web server to deny execution of PHP files in the media directory and enforce strict MIME type verification during upload.

Generated by OpenCVE AI on May 6, 2026 at 22:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description Vvveb CMS 1.0.8 contains a remote code execution vulnerability in its media upload handler that allows authenticated attackers to execute arbitrary operating system commands by uploading a PHP webshell with a .phtml extension. Attackers can bypass the extension deny-list and upload malicious files to the publicly accessible media directory, then request the file over HTTP to achieve full server compromise. Vvveb CMS 1.0.8.2 contains a remote code execution vulnerability in its media upload handler that allows authenticated attackers to execute arbitrary operating system commands by uploading a PHP webshell with a .phtml extension. Attackers can bypass the extension deny-list and upload malicious files to the publicly accessible media directory, then request the file over HTTP to achieve full server compromise.
Title Vvveb CMS 1.0.8 Remote Code Execution via Media Upload Vvveb CMS < 1.0.8.2 Remote Code Execution via Media Upload

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Vvveb
Vvveb vvveb
Vendors & Products Vvveb
Vvveb vvveb

Tue, 21 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description Vvveb CMS 1.0.8 contains a remote code execution vulnerability in its media upload handler that allows authenticated attackers to execute arbitrary operating system commands by uploading a PHP webshell with a .phtml extension. Attackers can bypass the extension deny-list and upload malicious files to the publicly accessible media directory, then request the file over HTTP to achieve full server compromise.
Title Vvveb CMS 1.0.8 Remote Code Execution via Media Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Vvveb Vvveb
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-06T21:19:14.013Z

Reserved: 2026-04-13T18:27:33.300Z

Link: CVE-2026-6249

cve-icon Vulnrichment

Updated: 2026-04-21T13:43:12.583Z

cve-icon NVD

Status : Deferred

Published: 2026-04-20T20:16:48.943

Modified: 2026-05-06T22:16:26.187

Link: CVE-2026-6249

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T23:00:15Z

Weaknesses