Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck) · only source for this CVE.
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Vvveb before 1.0.8.2 contains an information disclosure vulnerability in the cron controller that allows unauthenticated attackers to retrieve the application's secret cron key. Attackers can access the cron controller without authentication and retrieve the exposed secret key from the response, enabling them to trigger scheduled task execution outside of the intended schedule.
AnalysisAI
Vvveb before 1.0.8.2 exposes the application's secret cron key through an unauthenticated cron controller endpoint, allowing remote attackers to retrieve this sensitive credential and trigger scheduled tasks outside their intended execution windows. The vulnerability affects all deployments with the vulnerable cron controller accessible over the network, with CVSS 5.3 reflecting confidentiality impact from information disclosure without authentication requirements.
Technical ContextAI
Vvveb is a PHP-based page builder and content management system. The vulnerability exists in the cron controller (app/controller/cron.php), which is responsible for managing scheduled task execution. The root cause is CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere), where the cron controller inappropriately exposes the secret cron key in HTTP responses without authentication. The cron key is a shared secret meant to authorize legitimate scheduled task invocations; exposing it allows attackers to forge legitimate-appearing requests. The fix (commit 517bc09) removes the code that echoes the URL containing the key parameter, preventing disclosure.
RemediationAI
Upgrade Vvveb to version 1.0.8.2 or later, which includes the fix that removes the cron key exposure from controller output. The patch is available from the vendor repository (https://github.com/givanz/Vvveb/commit/517bc09faf44136e72de391aacc8b90a706f7ae7). For organizations unable to upgrade immediately, implement network-level access controls to restrict access to the cron controller endpoint (typically /cron or /app/controller/cron.php) to only trusted internal or scheduled-task-initiating systems; this prevents unauthenticated external attackers from reaching the endpoint while permitting legitimate cron execution. Additionally, rotate the cron key in the application configuration after patching if the key was previously exposed, as any attacker with network access prior to remediation may have retrieved it. Monitor application logs for unauthorized cron endpoint access from unexpected IP ranges.
An issue in vvveb CMS v.1.0.6 allows a remote attacker to execute arbitrary code via the Plugin mechanism. Rated critica
A security flaw has been discovered in givanz Vvveb up to 1.0.7.2. Rated medium severity (CVSS 5.5), this vulnerability
A security vulnerability has been detected in givanz Vvveb 1.0.7.2. Rated medium severity (CVSS 5.3), this vulnerability
Remote code execution in Vvveb CMS versions prior to 1.0.8.1 allows unauthenticated attackers to inject arbitrary PHP co
Stored cross-site scripting in Vvveb prior to 1.0.8.1 allows authenticated users with media upload and rename permission
Privilege escalation in Vvveb CMS versions prior to 1.0.8.1 allows authenticated low-privileged users to inject role_id=
SQL injection in Vvveb CMS versions before 1.0.8.3 allows authenticated frontend users to execute arbitrary SQL queries
Remote code execution in Vvveb CMS versions before 1.0.8.2 enables low-privilege authenticated users (editor, author, co
Server-Side Request Forgery in Vvveb CMS versions prior to 1.0.8.1 allows authenticated backend users to read arbitrary
Authenticated administrators in Vvveb CMS versions before 1.0.8.3 can access REST API tokens of other administrators thr
Vvveb CMS versions before 1.0.8.3 allow authenticated users to hijack other users' shopping carts during checkout. The c
Negative quantity manipulation in Vvveb CMS versions before 1.0.8.2 allows unauthenticated remote attackers to create or
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28458
GHSA-8rhw-hq84-rcq7