CVE-2026-6257

216.73.217.22

· Published 20/04/2026 20:16 · Modified 21/04/2026 16:19

Labels: CVE-2026-6257 2026-04-20 CVE-2026-6257 CWE-434 [email protected]

Essential information

Published: 20/04/2026 20:16
Modified: 21/04/2026 16:19
Author: —
Creator: —
CVSS: 9.2 CRITICAL (v3) 9.2 CRITICAL (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

Vvveb CMS v1.0.8 contains a remote code execution vulnerability in its media management functionality where a missing return statement in the file rename handler allows authenticated attackers to rename files to blocked extensions .php or .htaccess. Attackers can exploit this logic flaw by first uploading a text file and renaming it to .htaccess to inject Apache directives that register PHP-executable MIME types, then uploading another file and renaming it to .php to execute arbitrary operating system commands as the www-data user.

NVD status

Status: Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
vvveb / vvveb cms	`cpe:2.3:a:vvveb:vvveb_cms:1.0.8:::::::*`