CVE-2026-6249
Remote Code Execution in Vvveb CMS Media Upload Handler
Publication date: 2026-04-20
Last updated on: 2026-04-20
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| givanz | vvveb_cms | to 1.0.8 (exc) |
| vvveb | cms | 1.0.8 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-6249 is a remote code execution vulnerability in Vvveb CMS version 1.0.8 and earlier. It occurs in the media upload handler, where authenticated attackers can bypass the file extension deny-list by uploading a malicious PHP webshell with a .phtml extension. This malicious file is uploaded to a publicly accessible media directory.
Once the attacker uploads the .phtml webshell, they can execute arbitrary operating system commands by requesting the file over HTTP, which can lead to full server compromise.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including full server compromise. An attacker with authenticated access can upload a malicious webshell and execute arbitrary commands on the server, potentially leading to unauthorized data access, data modification, or complete control over the affected system.
Because the attack requires only low complexity and no user interaction beyond authentication, it poses a significant risk to the security and integrity of the server hosting Vvveb CMS.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of uploaded files with the .phtml extension in the publicly accessible media directory of the Vvveb CMS installation. Since attackers upload a PHP webshell with a .phtml extension, searching for such files can indicate exploitation.
- Use commands to find .phtml files in the media upload directory, for example: `find /path/to/vvveb/media -type f -name '*.phtml'`
- Check web server access logs for HTTP requests to .phtml files, which may indicate attempts to execute the uploaded webshell.
- Monitor for unusual or unauthorized file uploads by authenticated users, especially files with extensions not normally allowed.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves applying the patch that explicitly denies the upload of .phtml files in the media upload handler of Vvveb CMS.
- Update the `$uploadDenyExtensions` array in the `system/traits/media.php` file to include 'phtml', preventing uploads of this dangerous file type.
- Ensure that MIME type restrictions are properly enforced to block dangerous file types such as 'image/svg', 'application/javascript', and 'application/x-msdownload'.
- Review and restrict authenticated user permissions to limit who can upload media files.
- Remove any existing .phtml files from the media directory to eliminate already uploaded malicious webshells.