Vvveb < 1.0.8.2 XML External Entity Injection via Import

8.6 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Description

Vvveb before version 1.0.8.2 contains an XML external entity (XXE) injection vulnerability in the admin Tools/Import feature that allows authenticated site_admin users to read arbitrary files and modify database records. Attackers can exploit the XML parser configuration in system/import/xml.php to inject file:// or php://filter entity references that are resolved and persisted into the application database, enabling arbitrary file disclosure and administrator password hash overwriting for privilege escalation.

AI Analysis

XML External Entity (XXE) injection vulnerability in Vvveb's admin Tools/Import feature

Basic Information

ID CVE-2026-41936

Source VulnCheck

Published May 6, 2026 at 18:27

Modified May 6, 2026 at 19:25

Affected Product

Vendor givanz

Product Vvveb

Affected Versions givanz Vvveb 0

CWE Classification

CWE-611

AI Assessment

AI Score 8.6 / 10

AI Severity High

Vendor givanz

Product Vvveb

Version < 1.0.8.2

References

{
    "lastseen": "",
    "description": "Vvveb before version 1.0.8.2 contains an XML external entity (XXE) injection vulnerability in the admin Tools/Import feature that allows authenticated site_admin users to read arbitrary files and modify database records. Attackers can exploit the XML parser configuration in system/import/xml.php to inject file:// or php://filter entity references that are resolved and persisted into the application database, enabling arbitrary file disclosure and administrator password hash overwriting for privilege escalation.",
    "published": "2026-05-06T18:27:42.011Z",
    "modified": "2026-05-06T19:25:51.012Z",
    "type": "cve",
    "title": "Vvveb < 1.0.8.2 XML External Entity Injection via Import",
    "source": "VulnCheck",
    "references": "https://github.com/givanz/Vvveb/releases/tag/1.0.8.2\nhttps://github.com/givanz/Vvveb/security/advisories/GHSA-rfxr-4xpm-wrp7\nhttps://github.com/givanz/Vvveb/commit/86f7128a18edebe0ff47e3855558467eb0ef9106\nhttps://www.vulncheck.com/advisories/vvveb-xml-external-entity-injection-via-import",
    "id": "CVE-2026-41936",
    "bulletinFamily": "",
    "cwe": [
        "CWE-611"
    ],
    "cvelist": null,
    "sourceData": "givanz Vvveb 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.6,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Vvveb",
    "version": "0",
    "vendor": "givanz",
    "ai_description": "XML External Entity (XXE) injection vulnerability in Vvveb's admin Tools/Import feature",
    "ai_severity": "High",
    "ai_vendor": "givanz",
    "ai_product": "Vvveb",
    "ai_version": "< 1.0.8.2",
    "ai_score": 8.6
}

Vvveb < 1.0.8.2 XML External Entity Injection via Import_CVE-2026-41936