CVE 8.7 HIGH

Vvveb < 1.0.8.2 RCE via Media Upload Handler_CVE-2026-41938

May 6, 2026 invoker category_cve

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

Vvveb before version 1.0.8.2 contains an unrestricted file upload vulnerability in the media upload handler that allows authenticated users with media-upload permissions to bypass extension restrictions by uploading a .htaccess file to map .phtml extensions to the PHP handler. Attackers can upload a .phtml file containing arbitrary PHP code and trigger execution by sending an unauthenticated HTTP GET request to the uploaded file, resulting in remote code execution with web server privileges.

AI Analysis

Unrestricted file upload vulnerability allowing remote code execution with web server privileges

Basic Information

ID CVE-2026-41938

Source VulnCheck

Published May 6, 2026 at 18:42

Modified May 6, 2026 at 19:25

Affected Product

Vendor givanz

Product Vvveb

Affected Versions givanz Vvveb 0

CWE Classification

CWE-434

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor givanz

Product Vvveb

Version < 1.0.8.2

References

{
    "lastseen": "",
    "description": "Vvveb before version 1.0.8.2 contains an unrestricted file upload vulnerability in the media upload handler that allows authenticated users with media-upload permissions to bypass extension restrictions by uploading a .htaccess file to map .phtml extensions to the PHP handler. Attackers can upload a .phtml file containing arbitrary PHP code and trigger execution by sending an unauthenticated HTTP GET request to the uploaded file, resulting in remote code execution with web server privileges.",
    "published": "2026-05-06T18:42:35.890Z",
    "modified": "2026-05-06T19:25:41.446Z",
    "type": "cve",
    "title": "Vvveb < 1.0.8.2 RCE via Media Upload Handler",
    "source": "VulnCheck",
    "references": "https://github.com/givanz/Vvveb/releases/tag/1.0.8.2\nhttps://github.com/givanz/Vvveb/security/advisories/GHSA-wwmv-4g9g-p48g\nhttps://github.com/givanz/Vvveb/commit/54a9e846fb94192f1b31ae81d81d25c874662e6a\nhttps://www.vulncheck.com/advisories/vvveb-rce-via-media-upload-handler",
    "id": "CVE-2026-41938",
    "bulletinFamily": "",
    "cwe": [
        "CWE-434"
    ],
    "cvelist": null,
    "sourceData": "givanz Vvveb 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Vvveb",
    "version": "0",
    "vendor": "givanz",
    "ai_description": "Unrestricted file upload vulnerability allowing remote code execution with web server privileges",
    "ai_severity": "High",
    "ai_vendor": "givanz",
    "ai_product": "Vvveb",
    "ai_version": "< 1.0.8.2",
    "ai_score": 8.7
}

💭 Join the Security Discussion ❌ Cancel Reply