CVE-2026-41936 HIGH

CVE-2026-41936: Vvveb < 1.0.8.2 XML External Entity Injection via Import

Vendor Givanz
Product Vvveb
Weakness CWE-611 · XXE
Published May 6, 2026
Last update May 8, 2026

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Vvveb before version 1.0.8.2 contains an XML external entity (XXE) injection vulnerability in the admin Tools/Import feature that allows authenticated site_admin users to read arbitrary files and modify database records. Attackers can exploit the XML parser configuration in system/import/xml.php to inject file:// or php://filter entity references that are resolved and persisted into the application database, enabling arbitrary file disclosure and administrator password hash overwriting for privilege escalation.

Key dates

02Disclosure timeline

May 6, 2026 CVE published
May 8, 2026 Record updated