Skip to main content

Vvveb EUVDEUVD-2026-28458

| CVE-2026-41928 MEDIUM
Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497)
2026-05-07 VulnCheck GHSA-8rhw-hq84-rcq7
6.9
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
CVSS changed
May 07, 2026 - 22:22 NVD
5.3 (MEDIUM) 6.9 (MEDIUM)
Source Code Evidence Fetched
May 07, 2026 - 22:04 vuln.today
Analysis Generated
May 07, 2026 - 22:04 vuln.today
CVE Published
May 07, 2026 - 21:13 nvd
MEDIUM 5.3

DescriptionCVE.org

Vvveb before 1.0.8.2 contains an information disclosure vulnerability in the cron controller that allows unauthenticated attackers to retrieve the application's secret cron key. Attackers can access the cron controller without authentication and retrieve the exposed secret key from the response, enabling them to trigger scheduled task execution outside of the intended schedule.

AnalysisAI

Vvveb before 1.0.8.2 exposes the application's secret cron key through an unauthenticated cron controller endpoint, allowing remote attackers to retrieve this sensitive credential and trigger scheduled tasks outside their intended execution windows. The vulnerability affects all deployments with the vulnerable cron controller accessible over the network, with CVSS 5.3 reflecting confidentiality impact from information disclosure without authentication requirements.

Technical ContextAI

Vvveb is a PHP-based page builder and content management system. The vulnerability exists in the cron controller (app/controller/cron.php), which is responsible for managing scheduled task execution. The root cause is CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere), where the cron controller inappropriately exposes the secret cron key in HTTP responses without authentication. The cron key is a shared secret meant to authorize legitimate scheduled task invocations; exposing it allows attackers to forge legitimate-appearing requests. The fix (commit 517bc09) removes the code that echoes the URL containing the key parameter, preventing disclosure.

RemediationAI

Upgrade Vvveb to version 1.0.8.2 or later, which includes the fix that removes the cron key exposure from controller output. The patch is available from the vendor repository (https://github.com/givanz/Vvveb/commit/517bc09faf44136e72de391aacc8b90a706f7ae7). For organizations unable to upgrade immediately, implement network-level access controls to restrict access to the cron controller endpoint (typically /cron or /app/controller/cron.php) to only trusted internal or scheduled-task-initiating systems; this prevents unauthenticated external attackers from reaching the endpoint while permitting legitimate cron execution. Additionally, rotate the cron key in the application configuration after patching if the key was previously exposed, as any attacker with network access prior to remediation may have retrieved it. Monitor application logs for unauthorized cron endpoint access from unexpected IP ranges.

More in Vvveb

View all
CVE-2025-44022 CRITICAL POC
9.8 May 12

An issue in vvveb CMS v.1.0.6 allows a remote attacker to execute arbitrary code via the Plugin mechanism. Rated critica

CVE-2025-11028 MEDIUM POC
5.5 Sep 26

A security flaw has been discovered in givanz Vvveb up to 1.0.7.2. Rated medium severity (CVSS 5.5), this vulnerability

CVE-2025-9728 MEDIUM POC
5.3 Aug 31

A security vulnerability has been detected in givanz Vvveb 1.0.7.2. Rated medium severity (CVSS 5.3), this vulnerability

CVE-2026-39918 CRITICAL
9.2 Apr 20

Remote code execution in Vvveb CMS versions prior to 1.0.8.1 allows unauthenticated attackers to inject arbitrary PHP co

CVE-2026-34429 MEDIUM POC
5.1 Apr 20

Stored cross-site scripting in Vvveb prior to 1.0.8.1 allows authenticated users with media upload and rename permission

CVE-2026-34427 HIGH
8.7 Apr 20

Privilege escalation in Vvveb CMS versions prior to 1.0.8.1 allows authenticated low-privileged users to inject role_id=

CVE-2026-45800 HIGH
8.7 May 15

SQL injection in Vvveb CMS versions before 1.0.8.3 allows authenticated frontend users to execute arbitrary SQL queries

CVE-2026-41934 HIGH
8.7 May 06

Remote code execution in Vvveb CMS versions before 1.0.8.2 enables low-privilege authenticated users (editor, author, co

CVE-2026-34428 HIGH
8.3 Apr 20

Server-Side Request Forgery in Vvveb CMS versions prior to 1.0.8.1 allows authenticated backend users to read arbitrary

CVE-2026-46407 HIGH
8.1 May 15

Authenticated administrators in Vvveb CMS versions before 1.0.8.3 can access REST API tokens of other administrators thr

CVE-2026-46408 HIGH
7.6 May 15

Vvveb CMS versions before 1.0.8.3 allow authenticated users to hijack other users' shopping carts during checkout. The c

CVE-2026-44826 HIGH
7.5 May 15

Negative quantity manipulation in Vvveb CMS versions before 1.0.8.2 allows unauthenticated remote attackers to create or

Share

EUVD-2026-28458 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy