CVE 8.7 HIGH

Vvveb CMS 1.0.8 Remote Code Execution via Media Upload_CVE-2026-6249

April 20, 2026 invoker category_cve

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

Vvveb CMS 1.0.8 contains a remote code execution vulnerability in its media upload handler that allows authenticated attackers to execute arbitrary operating system commands by uploading a PHP webshell with a .phtml extension. Attackers can bypass the extension deny-list and upload malicious files to the publicly accessible media directory, then request the file over HTTP to achieve full server compromise.

AI Analysis

Remote code execution vulnerability in the media upload handler of Vvveb CMS 1.0.8, allowing authenticated attackers to execute arbitrary operating system commands.

Basic Information

ID CVE-2026-6249

Source VulnCheck

Published Apr 20, 2026 at 19:57

Affected Product

Vendor Vvveb

Product Vvveb CMS

Version 1.0.8

Affected Versions Vvveb Vvveb CMS 1.0.8

CWE Classification

CWE-434

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor Vvveb

Product Vvveb CMS

Version 1.0.8

References

{
    "lastseen": "",
    "description": "Vvveb CMS 1.0.8 contains a remote code execution vulnerability in its media upload handler that allows authenticated attackers to execute arbitrary operating system commands by uploading a PHP webshell with a .phtml extension. Attackers can bypass the extension deny-list and upload malicious files to the publicly accessible media directory, then request the file over HTTP to achieve full server compromise.",
    "published": "2026-04-20T19:57:37.655Z",
    "modified": "2026-04-20T19:57:37.655Z",
    "type": "cve",
    "title": "Vvveb CMS 1.0.8 Remote Code Execution via Media Upload",
    "source": "VulnCheck",
    "references": "https://github.com/givanz/Vvveb/commit/23ac0e8c758d80f3c4d9224763c8b2359648270e\nhttps://www.vulncheck.com/advisories/vvveb-cms-remote-code-execution-via-media-upload",
    "id": "CVE-2026-6249",
    "bulletinFamily": "",
    "cwe": [
        "CWE-434"
    ],
    "cvelist": null,
    "sourceData": "Vvveb Vvveb CMS 1.0.8",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Vvveb CMS",
    "version": "1.0.8",
    "vendor": "Vvveb",
    "ai_description": "Remote code execution vulnerability in the media upload handler of Vvveb CMS 1.0.8, allowing authenticated attackers to execute arbitrary operating system commands.",
    "ai_severity": "High",
    "ai_vendor": "Vvveb",
    "ai_product": "Vvveb CMS",
    "ai_version": "1.0.8",
    "ai_score": 8.7
}

💭 Join the Security Discussion ❌ Cancel Reply