Which versions of Vvveb are affected by CVE-2026-34428?

Vvveb CMS versions before 1.0.8.1 contain a server-side request forgery vulnerability that allows authenticated backend users to read sensitive files from the server and probe internal network…. A patch is available.

How to fix or mitigate CVE-2026-34428?

Within 24 hours: Identify all systems running Vvveb CMS and document current version numbers. Within 7 days: Upgrade all Vvveb CMS installations to version 1.0.8.1 or later; test in non-production environment first. Within 30 days: Verify upgrade completion across all instances and review backend user access logs for suspicious oEmbedProxy activity during the pre-patch period.

Vvveb CVE-2026-34428

Q: What is the CVSS score of CVE-2026-34428?

CVE-2026-34428 has a CVSS 4.0 base score of 8.3 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-23852 HIGH

Server-Side Request Forgery (SSRF) (CWE-918)

2026-04-20 VulnCheck

SSRF Vvveb

8.3

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

8.3 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Re-analysis Queued

Apr 20, 2026 - 16:22 vuln.today

cvss_changed

CVSS changed

Apr 20, 2026 - 16:22 NVD

7.7 (HIGH) 8.3 (HIGH)

Analysis Generated

Apr 20, 2026 - 15:04 vuln.today

EUVD ID Assigned

Apr 20, 2026 - 14:45 euvd

EUVD-2026-23852

Analysis Generated

Apr 20, 2026 - 14:45 vuln.today

Patch released

Apr 20, 2026 - 14:45 nvd

Patch available

CVE Published

Apr 20, 2026 - 13:55 nvd

HIGH 8.3

DescriptionCVE.org

Vvveb prior to 1.0.8.1 contains a server-side request forgery vulnerability in the oEmbedProxy action of the editor/editor module where the url parameter is passed directly to getUrl() via curl without scheme or destination validation. Authenticated backend users can supply file:// URLs to read arbitrary files readable by the web server process or http:// URLs targeting internal network addresses to probe internal services, with response bodies returned directly to the caller.

AnalysisAI

Server-Side Request Forgery in Vvveb CMS versions prior to 1.0.8.1 allows authenticated backend users to read arbitrary local files via file:// URLs or probe internal network services via http:// URLs through the oEmbedProxy action's unvalidated url parameter. The vulnerability (CWE-918) enables information disclosure from the web server's filesystem and internal network reconnaissance. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Obtain backend credentials

Delivery

Authenticate to Vvveb CMS

Exploit

Access editor module

Execution

Craft oEmbedProxy request with file:// or internal http:// URL

Persist

Extract sensitive data from response

Impact

Pivot to internal resources or cloud infrastructure