Home

Description

Vvveb before version 1.0.8.2 contains an unrestricted file upload vulnerability in the media upload handler that allows authenticated users with media-upload permissions to bypass extension restrictions by uploading a .htaccess file to map .phtml extensions to the PHP handler. Attackers can upload a .phtml file containing arbitrary PHP code and trigger execution by sending an unauthenticated HTTP GET request to the uploaded file, resulting in remote code execution with web server privileges.

PUBLISHED Reserved 2026-04-22 | Published 2026-05-06 | Updated 2026-05-08 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

Unrestricted Upload of File with Dangerous Type

Product status

Default status
affected

Any version before 1.0.8.2
affected

Credits

Basant Kumar (@CyberWarrior9) finder

VulnCheck finder

References

github.com/.../Vvveb/security/advisories/GHSA-wwmv-4g9g-p48g exploit

github.com/givanz/Vvveb/releases/tag/1.0.8.2 release-notes

github.com/.../Vvveb/security/advisories/GHSA-wwmv-4g9g-p48g vendor-advisory

github.com/...ommit/54a9e846fb94192f1b31ae81d81d25c874662e6a patch

www.vulncheck.com/...ries/vvveb-rce-via-media-upload-handler third-party-advisory

cve.org (CVE-2026-41938)

nvd.nist.gov (CVE-2026-41938)

Download JSON