CVE-2026-41938 HIGH

CVE-2026-41938: Vvveb < 1.0.8.2 RCE via Media Upload Handler

Vendor Givanz
Product Vvveb
Weakness CWE-434 · Unrestricted file upload
Published May 6, 2026
Last update May 25, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Vvveb before version 1.0.8.2 contains an unrestricted file upload vulnerability in the media upload handler that allows authenticated users with media-upload permissions to bypass extension restrictions by uploading a .htaccess file to map .phtml extensions to the PHP handler. Attackers can upload a .phtml file containing arbitrary PHP code and execute the uploaded payload through a subsequent unauthenticated HTTP GET request to the uploaded file, resulting in remote code execution with web server privileges.

Key dates

02Disclosure timeline

May 6, 2026 CVE published
May 25, 2026 Record updated