Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
Vvveb before version 1.0.8.2 contains an information disclosure vulnerability that allows unauthenticated attackers to obtain sensitive server information by triggering unhandled exceptions in the password-reset module. Attackers can access the admin password-reset endpoint to trigger a fatal error caused by a missing namespace import, which exposes the absolute server file path, internal class namespaces, line numbers, and source code excerpts through the debug exception handler rendered to unauthenticated requests.
AnalysisAI
Vvveb before version 1.0.8.2 allows unauthenticated remote attackers to disclose sensitive server information including absolute file paths, internal class namespaces, line numbers, and source code excerpts by accessing the admin password-reset endpoint and triggering a fatal error caused by missing namespace imports. The debug exception handler renders full stack traces to unauthenticated requests, enabling reconnaissance attacks without authentication or user interaction. No active exploitation confirmed, but the vulnerability is easily discoverable and exploitable over the network.
Technical ContextAI
Vvveb is a PHP-based website builder and CMS platform. The vulnerability resides in the password-reset module's exception handling logic, which fails to properly import a required namespace, causing an unhandled exception. When this exception is thrown, the debug exception handler (enabled by default in affected versions) renders the full PHP stack trace directly to the HTTP response, including file system paths, class hierarchies, and code line numbers. This violates the principle of secure error handling and mirrors the class of mistakes tracked under CWE-1188 (Initialization with Hard-Coded Network Resource Configuration Data), though the root cause here is specifically improper exception handler scope and debug mode exposure. The vulnerability affects the entire Vvveb product line below version 1.0.8.2 (CPE: cpe:2.3:a:givanz:vvveb:*:*:*:*:*:*:*:*). The fix in 1.0.8.2 includes disabling debug output by default and preventing stack trace exposure in production environments, as evidenced by the release note 'Set debug to false by default to hide trace info that exposes php files path'.
RemediationAI
Vendor-released patch: Upgrade Vvveb to version 1.0.8.2 or later. The fix includes disabling debug mode by default (preventing stack trace exposure) and ensuring proper namespace imports in the password-reset module. For users unable to upgrade immediately, the following compensating controls are available: (1) Disable debug mode manually by setting debug flag to false in the application configuration-this prevents exception stack traces from rendering to HTTP responses, with no functional side effects in production; (2) Restrict network access to the password-reset admin endpoint using firewall rules or web server configuration (e.g., .htaccess or nginx location blocks) to allow only trusted IP ranges, limiting attack surface but maintaining availability for legitimate password recovery from trusted networks; (3) Deploy a Web Application Firewall (WAF) rule to detect requests to the password-reset endpoint that trigger error responses and block or log them; (4) Monitor access logs for repeated requests to /admin/password-reset or similar endpoints from untrusted IPs and alert on potential reconnaissance. Advisory: https://github.com/givanz/Vvveb/security/advisories/GHSA-xgvg-r47g-786r.
An issue in vvveb CMS v.1.0.6 allows a remote attacker to execute arbitrary code via the Plugin mechanism. Rated critica
A security flaw has been discovered in givanz Vvveb up to 1.0.7.2. Rated medium severity (CVSS 5.5), this vulnerability
A security vulnerability has been detected in givanz Vvveb 1.0.7.2. Rated medium severity (CVSS 5.3), this vulnerability
Remote code execution in Vvveb CMS versions prior to 1.0.8.1 allows unauthenticated attackers to inject arbitrary PHP co
Stored cross-site scripting in Vvveb prior to 1.0.8.1 allows authenticated users with media upload and rename permission
Privilege escalation in Vvveb CMS versions prior to 1.0.8.1 allows authenticated low-privileged users to inject role_id=
SQL injection in Vvveb CMS versions before 1.0.8.3 allows authenticated frontend users to execute arbitrary SQL queries
Remote code execution in Vvveb CMS versions before 1.0.8.2 enables low-privilege authenticated users (editor, author, co
Server-Side Request Forgery in Vvveb CMS versions prior to 1.0.8.1 allows authenticated backend users to read arbitrary
Authenticated administrators in Vvveb CMS versions before 1.0.8.3 can access REST API tokens of other administrators thr
Vvveb CMS versions before 1.0.8.3 allow authenticated users to hijack other users' shopping carts during checkout. The c
Negative quantity manipulation in Vvveb CMS versions before 1.0.8.2 allows unauthenticated remote attackers to create or
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27887