Skip to main content

Vvveb EUVDEUVD-2026-27885

| CVE-2026-41930 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-05-06 VulnCheck
9.2
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
May 06, 2026 - 19:46 vuln.today
Analysis Generated
May 06, 2026 - 19:46 vuln.today
CVSS changed
May 06, 2026 - 19:22 NVD
9.8 (CRITICAL) 9.2 (CRITICAL)
CVE Published
May 06, 2026 - 18:37 nvd
CRITICAL 9.2

DescriptionCVE.org

Vvveb before version 1.0.8.2 contains a hard-coded credentials vulnerability in its docker-compose-apache.yaml configuration that allows unauthenticated attackers to access the bundled phpMyAdmin container with pre-configured database credentials. Attackers can connect to the phpMyAdmin port to gain unrestricted read and write access to the entire Vvveb database, including administrator password hashes, customer personally identifiable information, and order data, enabling account takeover and data manipulation.

AnalysisAI

Hard-coded credentials in Vvveb's Docker deployment expose the entire application database to unauthenticated remote attackers. Versions prior to 1.0.8.2 ship with pre-configured phpMyAdmin credentials in docker-compose-apache.yaml, allowing direct database access without authentication. Attackers gain unrestricted read/write access to administrator password hashes, customer PII, and order data, enabling account takeover and data manipulation. CVSS 9.2 (Critical) reflects network-accessible attack with low complexity. Patch available in version 1.0.8.2 with vendor advisory confirmed by GitHub Security Advisory GHSA-g38h-mr9p-fjmf.

Technical ContextAI

This vulnerability stems from insecure defaults in Infrastructure-as-Code configurations. The docker-compose-apache.yaml file contains plaintext database credentials accessible to the phpMyAdmin container, mapping CWE-306 (Missing Authentication for Critical Function). Docker Compose configurations define container orchestration including environment variables, port mappings, and service credentials. When phpMyAdmin is exposed with hard-coded credentials, it bypasses the application's authentication layer entirely, granting direct MySQL/MariaDB access. The CPE cpe:2.3:a:givanz:vvveb identifies this as affecting the Givanz Vvveb content management system. CVSS 4.0 vector shows Attack Complexity Low (AC:L) with Present attack requirements (AT:P), indicating the phpMyAdmin port must be network-accessible, which is the case in default Docker deployments exposing container services.

RemediationAI

Upgrade immediately to Vvveb version 1.0.8.2 or later, available at https://github.com/givanz/Vvveb/releases/tag/1.0.8.2. The security fix is implemented in commit f85ca7c2bc389bda3cc2eca87b2514581a628c32 which removes hard-coded credentials from docker-compose-apache.yaml. For organizations unable to upgrade immediately, implement these specific compensating controls: (1) Block external access to phpMyAdmin container port (typically 8080 or 8081) using firewall rules-restricts attack to internal network only but does not eliminate risk from insider threats or lateral movement; (2) Change the default database credentials in docker-compose-apache.yaml and restart containers-requires manual configuration management and may break on updates; (3) Remove phpMyAdmin container entirely from docker-compose configuration if database administration can be performed through alternative tools-eliminates attack surface but reduces operational convenience. All workarounds are inferior to patching. After remediation, audit database access logs for suspicious queries and reset all administrator passwords as a precautionary measure given potential prior compromise.

More in Docker

View all
CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2019-5736 HIGH POC
8.6 Feb 11

runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac

CVE-2023-32077 HIGH POC
7.5 Aug 24

Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2023-5815 HIGH POC
8.1 Nov 22

The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post

CVE-2014-9357 CRITICAL
10.0 Dec 16

Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build

CVE-2026-34156 CRITICAL POC
9.9 Mar 30

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l

CVE-2019-15752 HIGH POC
7.8 Aug 28

Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c

CVE-2025-34221 CRITICAL POC
10.0 Sep 29

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2

CVE-2024-23054 CRITICAL POC
9.8 Feb 05

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2026-46339 CRITICAL POC
10.0 May 19

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at

Share

EUVD-2026-27885 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy