CVE-2026-41930CRITICAL 9.8EPSS p26.4%

CVE-2026-41930CVE-2026-41930

Description

Vvveb before version 1.0.8.2 contains a hard-coded credentials vulnerability in its docker-compose-apache.yaml configuration that allows unauthenticated attackers to access the bundled phpMyAdmin container with pre-configured database credentials. Attackers can connect to the phpMyAdmin port to gain unrestricted read and write access to the entire Vvveb database, including administrator password hashes, customer personally identifiable information, and order data, enabling account takeover and data manipulation.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.35% probability of exploitation · percentile 26.4% · 2026-06-19T12:03:05Z
Published2026-05-06
Last modified2026-05-06

Underlying weaknesses· 1

CWE-306

References

  1. https://github.com/givanz/Vvveb/commit/f85ca7c2bc389bda3cc2eca87b2514581a628c32
  2. https://github.com/givanz/Vvveb/releases/tag/1.0.8.2
  3. https://github.com/givanz/Vvveb/security/advisories/GHSA-g38h-mr9p-fjmf
  4. https://www.vulncheck.com/advisories/vvveb-hard-coded-credentials-information-disclosure-via-phpmyadmin
  5. https://github.com/givanz/Vvveb/security/advisories/GHSA-g38h-mr9p-fjmf

1

TypeTargetConfidenceTier
WeaknessMissing Authentication for Critical Functioncwe-3060%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-39918
CVE
CVE-2026-41934
CVE
CVE-2026-46407
CVE
CVE-2026-41936
CVE
CVE-2026-34427
CVE
CVE-2026-41938
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.