CVE-2026-41938HIGH 8.8EPSS p41.2%

CVE-2026-41938CVE-2026-41938

Description

Vvveb before version 1.0.8.2 contains an unrestricted file upload vulnerability in the media upload handler that allows authenticated users with media-upload permissions to bypass extension restrictions by uploading a .htaccess file to map .phtml extensions to the PHP handler. Attackers can upload a .phtml file containing arbitrary PHP code and execute the uploaded payload through a subsequent unauthenticated HTTP GET request to the uploaded file, resulting in remote code execution with web server privileges.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.54% probability of exploitation · percentile 41.2% · 2026-06-18T12:00:27Z
Published2026-05-06
Last modified2026-05-26

Underlying weaknesses· 1

CWE-434

References

  1. https://github.com/givanz/Vvveb/commit/54a9e846fb94192f1b31ae81d81d25c874662e6a
  2. https://github.com/givanz/Vvveb/releases/tag/1.0.8.2
  3. https://github.com/givanz/Vvveb/security/advisories/GHSA-wwmv-4g9g-p48g
  4. https://www.vulncheck.com/advisories/vvveb-rce-via-media-upload-handler
  5. https://github.com/givanz/Vvveb/security/advisories/GHSA-wwmv-4g9g-p48g

1

TypeTargetConfidenceTier
WeaknessUnrestricted Upload of File with Dangerous Typecwe-4340%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-41934
CVE
CVE-2026-6249
CVE
CVE-2026-6257
CVE
CVE-2026-41936
CVE
CVE-2026-39918
CVE
CVE-2025-9397
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.