Home

Description

Vvveb before version 1.0.8.2 contains an information disclosure vulnerability that allows unauthenticated attackers to obtain sensitive server information by triggering unhandled exceptions in the password-reset module. Attackers can access the admin password-reset endpoint to trigger a fatal error caused by a missing namespace import, which exposes the absolute server file path, internal class namespaces, line numbers, and source code excerpts through the debug exception handler rendered to unauthenticated requests.

PUBLISHED Reserved 2026-04-22 | Published 2026-05-06 | Updated 2026-05-08 | Assigner VulnCheck




MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Problem types

Initialization of a Resource with an Insecure Default

Generation of Error Message Containing Sensitive Information

Product status

Default status
affected

Any version before 1.0.8.2
affected

Credits

Basant Kumar (@CyberWarrior9) finder

Hamed Kohi (@0xhamy) finder

VulnCheck finder

References

github.com/.../Vvveb/security/advisories/GHSA-xgvg-r47g-786r exploit

github.com/givanz/Vvveb/releases/tag/1.0.8.2 release-notes

github.com/.../Vvveb/security/advisories/GHSA-xgvg-r47g-786r vendor-advisory

www.vulncheck.com/...-disclosure-via-debug-exception-handler third-party-advisory

cve.org (CVE-2026-41931)

nvd.nist.gov (CVE-2026-41931)

Download JSON