EUVD-2026-23948CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionNVD
Vvveb CMS 1.0.8 contains a remote code execution vulnerability in its media upload handler that allows authenticated attackers to execute arbitrary operating system commands by uploading a PHP webshell with a .phtml extension. Attackers can bypass the extension deny-list and upload malicious files to the publicly accessible media directory, then request the file over HTTP to achieve full server compromise.
AnalysisAI
Remote code execution in Vvveb CMS 1.0.8 allows authenticated attackers with low privileges to upload PHP webshells disguised with .phtml extensions, bypassing file type restrictions to achieve full server compromise. The vulnerability stems from inadequate file upload validation in the media handler, enabling malicious files in publicly accessible directories. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Identify all systems running Vvveb CMS 1.0.8 and restrict access to upload functionality; document current version inventory. Within 7 days: Apply vendor-released patch to upgrade from version 1.0.8 to patched version via GitHub upstream repository. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today