CVE-2026-39918CRITICAL 9.8EPSS p46.9%

CVE-2026-39918CVE-2026-39918

Description

Vvveb prior to 1.0.8.1 contains a code injection vulnerability in the installation endpoint where the subdir POST parameter is written unsanitized into the env.php configuration file without escaping or validation. Attackers can inject arbitrary PHP code by breaking out of the string context in the define statement to achieve unauthenticated remote code execution as the web server user.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.66% probability of exploitation · percentile 46.9% · 2026-06-18T12:00:27Z
Published2026-04-20
Last modified2026-04-20

Underlying weaknesses· 1

CWE-94

References

  1. https://github.com/givanz/Vvveb/commit/5162c1639130bd080ab63c7d856788cd59d6b3b7
  2. https://github.com/givanz/Vvveb/releases/tag/1.0.8.1
  3. https://www.vulncheck.com/advisories/vvveb-code-injection-via-installation-endpoint

1

TypeTargetConfidenceTier
WeaknessImproper Control of Generation of Code ('Code Injection')cwe-940%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-41934
CVE
CVE-2026-41938
CVE
CVE-2026-41936
CVE
CVE-2026-41930
CVE
CVE-2025-44022
CVE
CVE-2026-34427
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.