CVE-2026-41934
Vvveb < 1.0.8.2 Authenticated RCE via Code Editor
CVSS Score
8.8
EPSS Score
0.0%
EPSS Percentile
0th
Vvveb before version 1.0.8.2 contains an authenticated remote code execution vulnerability in the admin code editor that allows low-privilege authenticated users to execute arbitrary code by exploiting insufficient file extension restrictions. Attackers with editor, author, contributor, or site_admin roles can write a malicious .htaccess file to map arbitrary extensions to the PHP handler, then upload PHP code with that extension to achieve unauthenticated remote code execution when the file is accessed via HTTP.
| CWE | CWE-184 |
| Vendor | givanz |
| Product | vvveb |
| Published | May 6, 2026 |
| Last Updated | May 6, 2026 |
Stay Ahead of the Next One
Get instant alerts for givanz vvveb
Be the first to know when new high vulnerabilities affecting givanz vvveb are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
givanz / Vvveb
0 < 1.0.8.2
References
github.com: https://github.com/givanz/Vvveb/releases/tag/1.0.8.2 github.com: https://github.com/givanz/Vvveb/security/advisories/GHSA-vfjj-gcvv-w248 github.com: https://github.com/givanz/Vvveb/commit/1196561276a3f49da5a714fef89ac9a6c6f9e33b vulncheck.com: https://www.vulncheck.com/advisories/vvveb-authenticated-rce-via-code-editor
Credits
Basant Kumar (@CyberWarrior9) Hamed Kohi (@0xhamy) VulnCheck