Vvveb CMS CVE-2026-41937

Q: What is the CVSS score of CVE-2026-41937?

CVE-2026-41937 has a CVSS 4.0 base score of 8.6 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

Q: Which versions of Vvveb CMS are affected by CVE-2026-41937?

Vvveb CMS before version 1.0.8.3 contains a remote code execution vulnerability that allows authenticated super_admin users to upload malicious plugins and execute arbitrary code at the web server…. A patch is available.

EUVD-2026-30297 HIGH

UNIX Symbolic Link (Symlink) Following (CWE-61)

2026-05-14 disclosure@vulncheck.com

GHSA-gv85-3994-qprw

PHP File Upload

8.6

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Lifecycle Timeline

Patch available

May 14, 2026 - 16:01 EUVD

Source Code Evidence Fetched

May 14, 2026 - 15:32 vuln.today

Analysis Generated

May 14, 2026 - 15:32 vuln.today

CVE Published

May 14, 2026 - 15:16 nvd

HIGH 8.6

DescriptionNVD

Vvveb before 1.0.8.3 contains an unrestricted file upload vulnerability in the plugin upload endpoint that allows super_admin users to execute arbitrary PHP code by uploading a malicious plugin ZIP file. Attackers can craft a ZIP containing a plugin.php with a valid Slug header and a public/index.php file with arbitrary PHP code, which executes as the web server user when accessed via unauthenticated HTTP requests to the plugin's public path.

AnalysisAI

Remote code execution in Vvveb CMS before 1.0.8.3 allows authenticated super_admin users to upload malicious plugin ZIP files containing arbitrary PHP code. Once uploaded, the code executes with web server privileges via unauthenticated HTTP requests to the plugin's public directory, enabling privilege escalation from authenticated admin to system-level code execution. …

RemediationAI

Within 24 hours: Identify all Vvveb CMS instances in your environment and document current versions; restrict super_admin plugin upload functionality through web application firewall rules or access controls. Within 7 days: Contact Vvveb vendor for patch timeline and interim security guidance; implement file integrity monitoring on plugin directories; review admin account access logs for suspicious plugin uploads. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-41937 vulnerability details – vuln.today

Back

Vvveb CMS CVE-2026-41937

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

Vvveb CMS CVE-2026-41937

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code