Skip to main content

Vvveb CVE-2026-41931

| EUVDEUVD-2026-27887 MEDIUM
Initialization of a Resource with an Insecure Default (CWE-1188)
2026-05-06 VulnCheck
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Patch available
May 06, 2026 - 20:02 EUVD
Source Code Evidence Fetched
May 06, 2026 - 19:47 vuln.today
Analysis Generated
May 06, 2026 - 19:47 vuln.today
CVSS changed
May 06, 2026 - 19:22 NVD
5.3 (MEDIUM) 6.9 (MEDIUM)
CVE Published
May 06, 2026 - 18:36 nvd
MEDIUM 6.9

DescriptionCVE.org

Vvveb before version 1.0.8.2 contains an information disclosure vulnerability that allows unauthenticated attackers to obtain sensitive server information by triggering unhandled exceptions in the password-reset module. Attackers can access the admin password-reset endpoint to trigger a fatal error caused by a missing namespace import, which exposes the absolute server file path, internal class namespaces, line numbers, and source code excerpts through the debug exception handler rendered to unauthenticated requests.

AnalysisAI

Vvveb before version 1.0.8.2 allows unauthenticated remote attackers to disclose sensitive server information including absolute file paths, internal class namespaces, line numbers, and source code excerpts by accessing the admin password-reset endpoint and triggering a fatal error caused by missing namespace imports. The debug exception handler renders full stack traces to unauthenticated requests, enabling reconnaissance attacks without authentication or user interaction. No active exploitation confirmed, but the vulnerability is easily discoverable and exploitable over the network.

Technical ContextAI

Vvveb is a PHP-based website builder and CMS platform. The vulnerability resides in the password-reset module's exception handling logic, which fails to properly import a required namespace, causing an unhandled exception. When this exception is thrown, the debug exception handler (enabled by default in affected versions) renders the full PHP stack trace directly to the HTTP response, including file system paths, class hierarchies, and code line numbers. This violates the principle of secure error handling and mirrors the class of mistakes tracked under CWE-1188 (Initialization with Hard-Coded Network Resource Configuration Data), though the root cause here is specifically improper exception handler scope and debug mode exposure. The vulnerability affects the entire Vvveb product line below version 1.0.8.2 (CPE: cpe:2.3:a:givanz:vvveb:*:*:*:*:*:*:*:*). The fix in 1.0.8.2 includes disabling debug output by default and preventing stack trace exposure in production environments, as evidenced by the release note 'Set debug to false by default to hide trace info that exposes php files path'.

RemediationAI

Vendor-released patch: Upgrade Vvveb to version 1.0.8.2 or later. The fix includes disabling debug mode by default (preventing stack trace exposure) and ensuring proper namespace imports in the password-reset module. For users unable to upgrade immediately, the following compensating controls are available: (1) Disable debug mode manually by setting debug flag to false in the application configuration-this prevents exception stack traces from rendering to HTTP responses, with no functional side effects in production; (2) Restrict network access to the password-reset admin endpoint using firewall rules or web server configuration (e.g., .htaccess or nginx location blocks) to allow only trusted IP ranges, limiting attack surface but maintaining availability for legitimate password recovery from trusted networks; (3) Deploy a Web Application Firewall (WAF) rule to detect requests to the password-reset endpoint that trigger error responses and block or log them; (4) Monitor access logs for repeated requests to /admin/password-reset or similar endpoints from untrusted IPs and alert on potential reconnaissance. Advisory: https://github.com/givanz/Vvveb/security/advisories/GHSA-xgvg-r47g-786r.

More in Vvveb

View all
CVE-2025-44022 CRITICAL POC
9.8 May 12

An issue in vvveb CMS v.1.0.6 allows a remote attacker to execute arbitrary code via the Plugin mechanism. Rated critica

CVE-2025-11028 MEDIUM POC
5.5 Sep 26

A security flaw has been discovered in givanz Vvveb up to 1.0.7.2. Rated medium severity (CVSS 5.5), this vulnerability

CVE-2025-9728 MEDIUM POC
5.3 Aug 31

A security vulnerability has been detected in givanz Vvveb 1.0.7.2. Rated medium severity (CVSS 5.3), this vulnerability

CVE-2026-39918 CRITICAL
9.2 Apr 20

Remote code execution in Vvveb CMS versions prior to 1.0.8.1 allows unauthenticated attackers to inject arbitrary PHP co

CVE-2026-34429 MEDIUM POC
5.1 Apr 20

Stored cross-site scripting in Vvveb prior to 1.0.8.1 allows authenticated users with media upload and rename permission

CVE-2026-34427 HIGH
8.7 Apr 20

Privilege escalation in Vvveb CMS versions prior to 1.0.8.1 allows authenticated low-privileged users to inject role_id=

CVE-2026-45800 HIGH
8.7 May 15

SQL injection in Vvveb CMS versions before 1.0.8.3 allows authenticated frontend users to execute arbitrary SQL queries

CVE-2026-41934 HIGH
8.7 May 06

Remote code execution in Vvveb CMS versions before 1.0.8.2 enables low-privilege authenticated users (editor, author, co

CVE-2026-34428 HIGH
8.3 Apr 20

Server-Side Request Forgery in Vvveb CMS versions prior to 1.0.8.1 allows authenticated backend users to read arbitrary

CVE-2026-46407 HIGH
8.1 May 15

Authenticated administrators in Vvveb CMS versions before 1.0.8.3 can access REST API tokens of other administrators thr

CVE-2026-46408 HIGH
7.6 May 15

Vvveb CMS versions before 1.0.8.3 allow authenticated users to hijack other users' shopping carts during checkout. The c

CVE-2026-44826 HIGH
7.5 May 15

Negative quantity manipulation in Vvveb CMS versions before 1.0.8.2 allows unauthenticated remote attackers to create or

Share

CVE-2026-41931 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy