Description
Vvveb CMS prior to v1.0.8.2 contains a remote code execution vulnerability in its media management functionality where a missing return statement in the file rename handler allows authenticated attackers to rename files to blocked extensions .php or .htaccess. Attackers can exploit this logic flaw by first uploading a text file and renaming it to .htaccess to inject Apache directives that register PHP-executable MIME types, then uploading another file and renaming it to .php to execute arbitrary operating system commands as the www-data user.
Published: 2026-04-20
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Vvveb CMS prior to v1.0.8.2 contains a remote code execution vulnerability in its media management functionality where a missing return statement in the file rename handler allows authenticated attackers to rename files to blocked extensions such as .php or .htaccess. Attackers can exploit this logic flaw by first uploading a text file and renaming it to .htaccess to inject Apache directives that register PHP‑executable MIME types, then uploading another file and renaming it to .php to execute arbitrary operating system commands as the www-data user. This results in full remote code execution on the web server, compromising the confidentiality, integrity, and availability of the site.

Affected Systems

The vulnerability is present in all releases of Vvveb CMS prior to version 1.0.8.2. The affected system is the web server running Vvveb CMS where authenticated users can access the media manager function. This includes deployments running version 1.0.8 and earlier, which are still vulnerable if the latest patch is not applied.

Risk and Exploitability

The CVSS score is 9.2, indicating a very high risk. The EPSS score is < 1%, and the vulnerability is not listed in the CISA KEV catalog. This vulnerability exists in Vvveb CMS versions prior to 1.0.8.2. Attackers must first authenticate to the CMS, typically as a site administrator or other privileged user, to access the media manager and rename files. Once authenticated, the attacker can immediately trigger the flaw and gain remote code execution on the web server. The lack of early detection means that this vulnerability could be exploited at any time until it is remediated.

Generated by OpenCVE AI on May 6, 2026 at 22:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vvveb CMS to a newer release that fixes the rename handler bug.
  • Disable the media manager feature for all users except administrators.
  • Enforce a strict file extension whitelist that blocks ".php", ".htaccess", and other executable extensions.
  • Monitor server logs for unauthorized file renames or the presence of unexpected ".htaccess" files and react promptly.

Generated by OpenCVE AI on May 6, 2026 at 22:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description Vvveb CMS v1.0.8 contains a remote code execution vulnerability in its media management functionality where a missing return statement in the file rename handler allows authenticated attackers to rename files to blocked extensions .php or .htaccess. Attackers can exploit this logic flaw by first uploading a text file and renaming it to .htaccess to inject Apache directives that register PHP-executable MIME types, then uploading another file and renaming it to .php to execute arbitrary operating system commands as the www-data user. Vvveb CMS prior to v1.0.8.2 contains a remote code execution vulnerability in its media management functionality where a missing return statement in the file rename handler allows authenticated attackers to rename files to blocked extensions .php or .htaccess. Attackers can exploit this logic flaw by first uploading a text file and renaming it to .htaccess to inject Apache directives that register PHP-executable MIME types, then uploading another file and renaming it to .php to execute arbitrary operating system commands as the www-data user.
Title Vvveb CMS v1.0.8 Remote Code Execution via Media Management Vvveb CMS < v1.0.8.2 Remote Code Execution via Media Management

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Vvveb
Vvveb vvveb
Vendors & Products Vvveb
Vvveb vvveb

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
Description Vvveb CMS v1.0.8 contains a remote code execution vulnerability in its media management functionality where a missing return statement in the file rename handler allows authenticated attackers to rename files to blocked extensions .php or .htaccess. Attackers can exploit this logic flaw by first uploading a text file and renaming it to .htaccess to inject Apache directives that register PHP-executable MIME types, then uploading another file and renaming it to .php to execute arbitrary operating system commands as the www-data user.
Title Vvveb CMS v1.0.8 Remote Code Execution via Media Management
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:H/SA:N'}

Subscriptions

Vvveb Vvveb
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-06T21:18:27.807Z

Reserved: 2026-04-13T21:34:23.065Z

Link: CVE-2026-6257

cve-icon Vulnrichment

Updated: 2026-04-21T18:05:39.462Z

cve-icon NVD

Status : Deferred

Published: 2026-04-20T20:16:49.107

Modified: 2026-05-06T22:16:26.310

Link: CVE-2026-6257

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T22:45:13Z

Weaknesses