Which versions of Vvveb are affected by CVE-2026-41935?

CVE-2026-41935 affects Vvveb admin controllers and enables authenticated low-privilege users to trigger infinite recursion that exhausts PHP worker memory, causing complete denial of service across…. A patch is available.

Vvveb CVE-2026-41935

Q: What is the CVSS score of CVE-2026-41935?

CVE-2026-41935 has a CVSS 4.0 base score of 7.1 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-30293 HIGH

Error Message Information Leak (CWE-209)

2026-05-14 disclosure@vulncheck.com

GHSA-gpm5-vv3g-pcjf

PHP Denial Of Service Information Disclosure

7.1

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Patch available

May 14, 2026 - 16:01 EUVD

Source Code Evidence Fetched

May 14, 2026 - 15:31 vuln.today

Analysis Generated

May 14, 2026 - 15:31 vuln.today

CVE Published

May 14, 2026 - 15:16 nvd

HIGH 7.1

DescriptionNVD

Vvveb before 1.0.8.3 contains an uncontrolled recursion vulnerability in the admin controller dispatch cycle where Base::init() repeatedly invokes permission() on error handlers, causing infinite recursion until PHP memory limits are exhausted. Attackers can send sustained requests to forbidden admin URLs from a low-privilege account to exhaust PHP memory on all workers and cause denial of service to legitimate traffic.

AnalysisAI

Infinite recursion in Vvveb admin controller exhausts PHP memory through repeated permission checks when low-privilege users access forbidden admin URLs. Sustained requests deplete worker memory causing site-wide denial of service. …

RemediationAI

Within 24 hours: inventory all Vvveb installations and identify current versions below 1.0.8.3; disable or restrict access to admin controller endpoints for non-administrator accounts via web application firewall or reverse proxy rules. Within 7 days: upgrade all affected Vvveb instances to version 1.0.8.3 or later; verify the upgrade by confirming commit c766e84b is present in deployed code. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-41935 vulnerability details – vuln.today

Back

Vvveb CVE-2026-41935

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

Vvveb CVE-2026-41935

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code