Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Vvveb before version 1.0.8.2 contains a hard-coded credentials vulnerability in its docker-compose-apache.yaml configuration that allows unauthenticated attackers to access the bundled phpMyAdmin container with pre-configured database credentials. Attackers can connect to the phpMyAdmin port to gain unrestricted read and write access to the entire Vvveb database, including administrator password hashes, customer personally identifiable information, and order data, enabling account takeover and data manipulation.
AnalysisAI
Hard-coded credentials in Vvveb's Docker deployment expose the entire application database to unauthenticated remote attackers. Versions prior to 1.0.8.2 ship with pre-configured phpMyAdmin credentials in docker-compose-apache.yaml, allowing direct database access without authentication. Attackers gain unrestricted read/write access to administrator password hashes, customer PII, and order data, enabling account takeover and data manipulation. CVSS 9.2 (Critical) reflects network-accessible attack with low complexity. Patch available in version 1.0.8.2 with vendor advisory confirmed by GitHub Security Advisory GHSA-g38h-mr9p-fjmf.
Technical ContextAI
This vulnerability stems from insecure defaults in Infrastructure-as-Code configurations. The docker-compose-apache.yaml file contains plaintext database credentials accessible to the phpMyAdmin container, mapping CWE-306 (Missing Authentication for Critical Function). Docker Compose configurations define container orchestration including environment variables, port mappings, and service credentials. When phpMyAdmin is exposed with hard-coded credentials, it bypasses the application's authentication layer entirely, granting direct MySQL/MariaDB access. The CPE cpe:2.3:a:givanz:vvveb identifies this as affecting the Givanz Vvveb content management system. CVSS 4.0 vector shows Attack Complexity Low (AC:L) with Present attack requirements (AT:P), indicating the phpMyAdmin port must be network-accessible, which is the case in default Docker deployments exposing container services.
RemediationAI
Upgrade immediately to Vvveb version 1.0.8.2 or later, available at https://github.com/givanz/Vvveb/releases/tag/1.0.8.2. The security fix is implemented in commit f85ca7c2bc389bda3cc2eca87b2514581a628c32 which removes hard-coded credentials from docker-compose-apache.yaml. For organizations unable to upgrade immediately, implement these specific compensating controls: (1) Block external access to phpMyAdmin container port (typically 8080 or 8081) using firewall rules-restricts attack to internal network only but does not eliminate risk from insider threats or lateral movement; (2) Change the default database credentials in docker-compose-apache.yaml and restart containers-requires manual configuration management and may break on updates; (3) Remove phpMyAdmin container entirely from docker-compose configuration if database administration can be performed through alternative tools-eliminates attack surface but reduces operational convenience. All workarounds are inferior to patching. After remediation, audit database access logs for suspicious queries and reset all administrator passwords as a precautionary measure given potential prior compromise.
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac
Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build
Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l
Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2
An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27885