Vvveb before version 1.0.8.2 contains an unrestricted file upload vulnerability in the media upload handler that allows authenticated users with media-upload permissions to bypass extension restrictions by uploading a .htaccess file to map .phtml extensions to the PHP handler. Attackers can upload a .phtml file containing arbitrary PHP code and execute the uploaded payload through a subsequent unauthenticated HTTP GET request to the uploaded file, resulting in remote code execution with web server privileges.
References
Configurations
No configuration.
History
26 May 2026, 00:16
| Type | Values Removed | Values Added |
|---|---|---|
| Summary | (en) Vvveb before version 1.0.8.2 contains an unrestricted file upload vulnerability in the media upload handler that allows authenticated users with media-upload permissions to bypass extension restrictions by uploading a .htaccess file to map .phtml extensions to the PHP handler. Attackers can upload a .phtml file containing arbitrary PHP code and execute the uploaded payload through a subsequent unauthenticated HTTP GET request to the uploaded file, resulting in remote code execution with web server privileges. |
06 May 2026, 20:16
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/givanz/Vvveb/security/advisories/GHSA-wwmv-4g9g-p48g - |
06 May 2026, 19:20
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-05-06 19:16
Updated : 2026-06-17 10:47
NVD link : CVE-2026-41938
Mitre link : CVE-2026-41938
CVE.ORG link : CVE-2026-41938
JSON object : View
Products Affected
No product.
CWE
CWE-434
Unrestricted Upload of File with Dangerous Type