216.73.217.64

CVE-2026-41938

· Published 06/05/2026 19:16 · Modified 06/05/2026 20:16

Labels: CVE-2026-41938 2026-05-06CVE-2026-41938CWE-434[email protected]

Essential information

Published
06/05/2026 19:16
Modified
06/05/2026 20:16
Author
Creator
CVSS
8.7 HIGH (v3) 8.7 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Vvveb before version 1.0.8.2 contains an unrestricted file upload vulnerability in the media upload handler that allows authenticated users with media-upload permissions to bypass extension restrictions by uploading a .htaccess file to map .phtml extensions to the PHP handler. Attackers can upload a .phtml file containing arbitrary PHP code and trigger execution by sending an unauthenticated HTTP GET request to the uploaded file, resulting in remote code execution with web server privileges.

NVD status

Status
Deferred — When a CVE is given this status the NVD does not plan analyze or re-analyze this CVE due to resource or other concerns.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
vvveb / vvveb cpe:2.3:a:vvveb:vvveb:*:*:*:*:*:*:*:*

References