CVE-2026-41938
Vvveb < 1.0.8.2 RCE via Media Upload Handler
CVSS Score
8.8
EPSS Score
0.0%
EPSS Percentile
0th
Vvveb before version 1.0.8.2 contains an unrestricted file upload vulnerability in the media upload handler that allows authenticated users with media-upload permissions to bypass extension restrictions by uploading a .htaccess file to map .phtml extensions to the PHP handler. Attackers can upload a .phtml file containing arbitrary PHP code and trigger execution by sending an unauthenticated HTTP GET request to the uploaded file, resulting in remote code execution with web server privileges.
| CWE | CWE-434 |
| Vendor | givanz |
| Product | vvveb |
| Published | May 6, 2026 |
| Last Updated | May 6, 2026 |
Stay Ahead of the Next One
Get instant alerts for givanz vvveb
Be the first to know when new high vulnerabilities affecting givanz vvveb are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
givanz / Vvveb
0 < 1.0.8.2
References
github.com: https://github.com/givanz/Vvveb/releases/tag/1.0.8.2 github.com: https://github.com/givanz/Vvveb/security/advisories/GHSA-wwmv-4g9g-p48g github.com: https://github.com/givanz/Vvveb/commit/54a9e846fb94192f1b31ae81d81d25c874662e6a vulncheck.com: https://www.vulncheck.com/advisories/vvveb-rce-via-media-upload-handler
Credits
Basant Kumar (@CyberWarrior9) VulnCheck