CVE-2026-6249

HIGH 8.8

Vvveb CMS 1.0.8 Remote Code Execution via Media Upload

CVSS Score

8.8

EPSS Score

0.0%

EPSS Percentile

0th

Vvveb CMS 1.0.8 contains a remote code execution vulnerability in its media upload handler that allows authenticated attackers to execute arbitrary operating system commands by uploading a PHP webshell with a .phtml extension. Attackers can bypass the extension deny-list and upload malicious files to the publicly accessible media directory, then request the file over HTTP to achieve full server compromise.

CWE	CWE-434
Vendor	vvveb
Product	vvveb cms
Published	Apr 20, 2026

Stay Ahead of the Next One

Get instant alerts for vvveb vvveb cms

Be the first to know when new high vulnerabilities affecting vvveb vvveb cms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

Vvveb / Vvveb CMS

1.0.8

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/givanz/Vvveb/commit/23ac0e8c758d80f3c4d9224763c8b2359648270e vulncheck.com: https://www.vulncheck.com/advisories/vvveb-cms-remote-code-execution-via-media-upload

Credits

Mohammed EL OUARDANI