Vvveb CMS CVE-2026-41938

Q: What is the CVSS score of CVE-2026-41938?

CVE-2026-41938 has a CVSS 4.0 base score of 8.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

Q: Which versions of Vvveb CMS are affected by CVE-2026-41938?

Vvveb CMS versions before 1.0.8.2 contain a remote code execution vulnerability that allows authenticated users with media-upload permissions to execute arbitrary code on the web server.. A patch is available.

EUVD-2026-27893 HIGH

Unrestricted Upload of File with Dangerous Type (CWE-434)

2026-05-06 VulnCheck

PHP RCE File Upload

8.7

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Source Code Evidence Fetched

May 06, 2026 - 19:46 vuln.today

Analysis Generated

May 06, 2026 - 19:46 vuln.today

CVSS changed

May 06, 2026 - 19:22 NVD

8.8 (HIGH) 8.7 (HIGH)

CVE Published

May 06, 2026 - 18:42 nvd

HIGH 8.7

DescriptionNVD

Vvveb before version 1.0.8.2 contains an unrestricted file upload vulnerability in the media upload handler that allows authenticated users with media-upload permissions to bypass extension restrictions by uploading a .htaccess file to map .phtml extensions to the PHP handler. Attackers can upload a .phtml file containing arbitrary PHP code and trigger execution by sending an unauthenticated HTTP GET request to the uploaded file, resulting in remote code execution with web server privileges.

AnalysisAI

Remote code execution in Vvveb CMS versions before 1.0.8.2 allows authenticated users with media-upload permissions to execute arbitrary PHP code with web server privileges via a two-stage attack: uploading a malicious .htaccess file to map .phtml extensions to the PHP handler, then uploading a .phtml file containing PHP code. Exploitation requires only low-privileged authentication (CVSS PR:L) and no user interaction (UI:N), making post-authentication compromise straightforward. …

RemediationAI

Within 24 hours: Audit current Vvveb CMS version across all instances and identify systems running versions prior to 1.0.8.2. Within 7 days: Apply vendor-released patch to Vvveb CMS 1.0.8.2 or later per GitHub security advisory GHSA-wwmv-4g9g-p48g (commit 54a9e846); restrict media-upload permissions to trusted administrative accounts only pending patch deployment. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-41938 vulnerability details – vuln.today

Back

Vvveb CMS CVE-2026-41938

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

Vvveb CMS CVE-2026-41938

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code