Skip to main content

Vvveb EUVDEUVD-2026-30294

| CVE-2026-41933 MEDIUM
Exposure of Information Through Directory Listing (CWE-548)
2026-05-14 disclosure@vulncheck.com GHSA-f8fj-4vvj-89gh
6.9
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (vulncheck) · only source for this CVE.

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
May 14, 2026 - 16:01 EUVD
Source Code Evidence Fetched
May 14, 2026 - 15:33 vuln.today
Analysis Generated
May 14, 2026 - 15:33 vuln.today
CVE Published
May 14, 2026 - 15:16 nvd
MEDIUM 6.9

DescriptionCVE.org

Vvveb before 1.0.8.3 contains a directory listing information disclosure vulnerability that allows unauthenticated attackers to enumerate files and directories by accessing multiple paths lacking proper index directives in .htaccess files. Attackers can access directories such as admin asset paths, plugins, themes, and media folders to view filenames, file sizes, modification timestamps, and unrendered admin templates containing sensitive route maps.

AnalysisAI

Vvveb before 1.0.8.3 allows unauthenticated remote attackers to enumerate sensitive files and directories through directory listing information disclosure. Multiple directories including admin, plugins, themes, and media folders lack proper index directives in .htaccess files, permitting attackers to view filenames, file sizes, modification timestamps, and unrendered admin templates that expose sensitive route maps. No active exploitation has been confirmed, but the vulnerability is trivial to exploit with network access and no authentication.

Technical ContextAI

Vvveb is a web-based CMS and website builder framework. The vulnerability stems from improper Apache HTTP Server configuration through .htaccess files. Specifically, the Options directive lacks the -Indexes flag (or Options directive is commented out with #) in multiple directories, causing Apache to display directory listings when a client requests a directory path without an index file. CWE-548 (Exposure of Information Through Directory Listing) classifies this as a direct configuration weakness. The affected directories store PHP code, media assets, template files, and administrative interface components. When directory listing is enabled, Apache responds to GET requests for directory paths with an HTML-formatted file listing containing metadata (size, modification date, filename) that reveals the application structure and potentially sensitive information to unauthenticated attackers. The fix involves uncommenting and enabling the -Indexes option in .htaccess files across the root, admin, plugins, themes, media, and other sensitive directories, as shown in commit 96ae04c5e4a295e281adc1d02d77444173653deb.

RemediationAI

Upgrade Vvveb to version 1.0.8.3 or later immediately; the patched version includes corrected .htaccess files with Options -Indexes directives enabled in all sensitive directories (root, admin, plugins, themes, public/media, public/admin, public/vadmin, public/themes). If immediate patching is not feasible, manually add 'Options +SymLinksIfOwnerMatch -Indexes' to the following .htaccess files in your Vvveb installation: .htaccess (root), admin/.htaccess, plugins/.htaccess, public/.htaccess, public/admin/.htaccess, public/media/.htaccess, public/themes/.htaccess, and public/vadmin/.htaccess. Additionally, if plugins/.htaccess and public/themes/.htaccess do not exist, create them with the Apache access controls shown in the commit diff (deny PHP execution). Verify the fix by attempting to access /admin/, /plugins/, /themes/, /public/media/ and confirming that directory listing is suppressed (HTTP 403 Forbidden or 404 Not Found response, not an HTML file listing). Alternative compensating control: configure web server reverse proxy (nginx, Apache on front-end) to block requests to known sensitive directories or disable directory listing at the virtual host level; this mitigates exposure but does not address the root cause and leaves the application vulnerable if accessed directly. Patch verification: review Vvveb advisory at https://www.vulncheck.com/advisories/vvveb-directory-listing-information-disclosure for release notes.

Share

EUVD-2026-30294 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy