CVE-2026-41930
Deferred Deferred - Pending Action
Hard-Coded Credentials in Vvveb Docker Configuration

Publication date: 2026-05-06

Last updated on: 2026-05-06

Assigner: VulnCheck

Description
Vvveb before version 1.0.8.2 contains a hard-coded credentials vulnerability in its docker-compose-apache.yaml configuration that allows unauthenticated attackers to access the bundled phpMyAdmin container with pre-configured database credentials. Attackers can connect to the phpMyAdmin port to gain unrestricted read and write access to the entire Vvveb database, including administrator password hashes, customer personally identifiable information, and order data, enabling account takeover and data manipulation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-06
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-41930
EUVD
EUVD-2026-27885
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vvveb vvveb to 1.0.8.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

Vvveb before version 1.0.8.2 contains a hard-coded credentials vulnerability in its docker-compose-apache.yaml configuration. This vulnerability allows unauthenticated attackers to access the bundled phpMyAdmin container using pre-configured database credentials.

By connecting to the phpMyAdmin port, attackers can gain unrestricted read and write access to the entire Vvveb database, including administrator password hashes, customer personally identifiable information, and order data.

This access enables attackers to take over accounts and manipulate data.

Impact Analysis

This vulnerability can have severe impacts including unauthorized access to sensitive data such as administrator password hashes, customer personally identifiable information, and order data.

Attackers can manipulate data and take over user accounts, potentially leading to data breaches, loss of customer trust, and operational disruptions.

Compliance Impact

This vulnerability allows unauthenticated attackers to access sensitive data including administrator password hashes, customer personally identifiable information (PII), and order data. Such unauthorized access and potential data manipulation can lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

Specifically, exposure of PII and administrator credentials can result in non-compliance with GDPR's requirements for data confidentiality and integrity, as well as HIPAA's mandates for protecting patient information, potentially leading to legal and financial consequences.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41930. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart