CVE-2026-39918 CRITICAL

CVE-2026-39918: Vvveb < 1.0.8.1 Code Injection via Installation Endpoint

Vendor Givanz
Product Vvveb
Weakness CWE-94 · Code injection
Published April 20, 2026
Last update May 8, 2026

CVSS base score

9.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Vvveb prior to 1.0.8.1 contains a code injection vulnerability in the installation endpoint where the subdir POST parameter is written unsanitized into the env.php configuration file without escaping or validation. Attackers can inject arbitrary PHP code by breaking out of the string context in the define statement to achieve unauthenticated remote code execution as the web server user.

Key dates

02Disclosure timeline

April 20, 2026 CVE published
May 8, 2026 Record updated