CVE-2026-39918
Received Received - Intake
Code Injection in Vvveb Installation Allows Remote Code Execution

Publication date: 2026-04-20

Last updated on: 2026-04-20

Assigner: VulnCheck

Description
Vvveb prior toΒ 1.0.8.1 contains a code injection vulnerability in the installation endpoint where the subdir POST parameter is written unsanitized into the env.php configuration file without escaping or validation. Attackers can inject arbitrary PHP code by breaking out of the string context in the define statement to achieve unauthenticated remote code execution as the web server user.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-20
Last Modified
2026-04-20
Generated
2026-06-16
AI Q&A
2026-04-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39918
EUVD
EUVD-2026-23868
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
vvveb vvveb to 1.0.8.1 (exc)
givanz vvveb to 1.0.8.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-39918 is a critical code injection vulnerability in Vvveb versions prior to 1.0.8.1. It occurs in the installation endpoint where the 'subdir' POST parameter is written directly into the env.php configuration file without any sanitization, escaping, or validation.

Attackers can exploit this flaw by injecting arbitrary PHP code, breaking out of the string context in the define statement, which leads to unauthenticated remote code execution with the privileges of the web server user.

Impact Analysis

This vulnerability allows an unauthenticated attacker to execute arbitrary PHP code on the server running Vvveb, effectively gaining control with the same privileges as the web server user.

Such remote code execution can lead to full compromise of the affected system, including unauthorized access to data, modification or deletion of files, disruption of service, and potential pivoting to other systems within the network.

Detection Guidance

Detection of this vulnerability involves checking for the presence of unsanitized or malicious input in the installation endpoint, specifically the "subdir" POST parameter being written into the env.php configuration file.

One approach is to monitor HTTP POST requests to the installation endpoint for suspicious or unexpected values in the "subdir" parameter that could indicate an attempt to inject PHP code.

Additionally, inspecting the env.php file for unexpected PHP code or modifications can help identify exploitation.

  • Use network monitoring tools (e.g., tcpdump, Wireshark) to capture POST requests to the installation endpoint and filter for the "subdir" parameter.
  • Run a command like: curl -X POST -d "subdir=test" http://your-vvveb-instance/install to test the endpoint behavior.
  • Search the env.php file for suspicious PHP code injections using grep, e.g., grep -P "<\?php|eval|base64_decode" path/to/env.php
Mitigation Strategies

To mitigate this vulnerability immediately, upgrade Vvveb to version 1.0.8.1 or later where the issue has been fixed.

The fix involves sanitizing the "subdir" POST parameter to prevent code injection by removing dangerous characters and patterns before writing to env.php.

If upgrading is not immediately possible, restrict access to the installation endpoint to trusted users only, for example by network segmentation or authentication.

Monitor and audit the env.php file for unauthorized changes and remove any injected code if found.

Compliance Impact

The vulnerability allows unauthenticated remote code execution via PHP code injection, which can lead to unauthorized access, modification, or disruption of data and services.

Such unauthorized access and potential data compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and system integrity.

Specifically, the high severity and ease of exploitation (no privileges or user interaction required) increase the risk of breaches that could violate confidentiality, integrity, and availability requirements mandated by these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39918. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart