CVE-2026-41934HIGH 8.8EPSS p41.4%

CVE-2026-41934CVE-2026-41934

Description

Vvveb before version 1.0.8.2 contains an authenticated remote code execution vulnerability in the admin code editor that allows low-privilege authenticated users to execute arbitrary code through insufficient file extension restrictions, with the uploaded payload then executable via subsequent unauthenticated HTTP requests. Attackers with editor, author, contributor, or site_admin roles can write a malicious .htaccess file to map arbitrary extensions to the PHP handler, then upload PHP code with that extension to achieve unauthenticated remote code execution when the file is accessed via HTTP.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.55% probability of exploitation · percentile 41.4% · 2026-06-18T12:00:27Z
Published2026-05-06
Last modified2026-05-26

Underlying weaknesses· 1

CWE-184

References

  1. https://github.com/givanz/Vvveb/commit/1196561276a3f49da5a714fef89ac9a6c6f9e33b
  2. https://github.com/givanz/Vvveb/releases/tag/1.0.8.2
  3. https://github.com/givanz/Vvveb/security/advisories/GHSA-vfjj-gcvv-w248
  4. https://www.vulncheck.com/advisories/vvveb-authenticated-rce-via-code-editor

1

TypeTargetConfidenceTier
WeaknessIncomplete List of Disallowed Inputscwe-1840%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-41938
CVE
CVE-2026-39918
CVE
CVE-2026-41936
CVE
CVE-2026-6249
CVE
CVE-2026-6257
CVE
CVE-2025-44022
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.