Vvveb CMS v1.0.8 contains a flaw in its media management that allows an authenticated attacker to rename uploaded files to blocked extensions such as ".php" or ".htaccess" due to a missing return statement in the file rename handler. By exploiting this logic error, the attacker can upload a text file, rename it to ".htaccess" to inject Apache directives that register PHP‑executable MIME types, and then upload another file and rename it to ".php" to execute arbitrary operating system commands as the www-data user. This results in full remote code execution on the web server, compromising the confidentiality, integrity, and availability of the entire site.

The vulnerability is present in the Vvveb CMS product, specifically version 1.0.8. The affected system is the web server running Vvveb CMS where authenticated users can access the media manager function. No other versions are listed in the data, so the impact applies only to deployments running 1.0.8.

The CVSS score is 9.2, indicating a very high risk. The EPSS score is not available, and the vulnerability is not currently listed in the CISA KEV catalog, though it remains exploitable. Attackers must first authenticate to the CMS, typically as a site administrator or other privileged user, to access the media manager and rename files. Once authenticated, the attacker can immediately trigger the flaw and gain remote code execution on the web server. The lack of early detection means that this vulnerability could be exploited at any time until it is remediated.