Home

Description

Vvveb before 1.0.8.2 contains an information disclosure vulnerability in the cron controller that allows unauthenticated attackers to retrieve the application's secret cron key. Attackers can access the cron controller without authentication and retrieve the exposed secret key from the response, enabling them to trigger scheduled task execution outside of the intended schedule.

PUBLISHED Reserved 2026-04-22 | Published 2026-05-07 | Updated 2026-05-08 | Assigner VulnCheck




MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Problem types

Exposure of Sensitive System Information to an Unauthorized Control Sphere

Product status

Default status
affected

Any version before 1.0.8.2
affected

Credits

Basant Kumar (@CyberWarrior9) finder

Hamed Kohi (@0xHamy) finder

VulnCheck finder

References

github.com/...ommit/517bc09faf44136e72de391aacc8b90a706f7ae7 patch

www.vulncheck.com/...ormation-disclosure-via-cron-controller third-party-advisory

cve.org (CVE-2026-41928)

nvd.nist.gov (CVE-2026-41928)

Download JSON