CVE-2026-41931
Deferred Deferred - Pending Action
Information Disclosure in Vvveb via Debug Exception Handler

Publication date: 2026-05-06

Last updated on: 2026-05-06

Assigner: VulnCheck

Description
Vvveb before version 1.0.8.2 contains an information disclosure vulnerability that allows unauthenticated attackers to obtain sensitive server information by triggering unhandled exceptions in the password-reset module. Attackers can access the admin password-reset endpoint to trigger a fatal error caused by a missing namespace import, which exposes the absolute server file path, internal class namespaces, line numbers, and source code excerpts through the debug exception handler rendered to unauthenticated requests.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-06
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-14
NVD
CVE-2026-41931
EUVD
EUVD-2026-27887
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vvveb vvveb to 1.0.8.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-209 The product generates an error message that includes sensitive information about its environment, users, or associated data.
CWE-1188 The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Vvveb versions before 1.0.8.2 and is an information disclosure issue. It allows unauthenticated attackers to access sensitive server information by causing unhandled exceptions in the password-reset module.

Specifically, attackers can use the admin password-reset endpoint to trigger a fatal error caused by a missing namespace import. This error exposes details such as the absolute server file path, internal class namespaces, line numbers, and source code excerpts through the debug exception handler, which is shown to unauthenticated requests.

Impact Analysis

The impact of this vulnerability is the exposure of sensitive server information to unauthenticated attackers. This information disclosure can aid attackers in understanding the internal structure of the application, potentially facilitating further attacks such as code injection, privilege escalation, or other exploits.

Compliance Impact

The vulnerability allows unauthenticated attackers to obtain sensitive server information, including absolute server file paths, internal class namespaces, line numbers, and source code excerpts. This exposure of sensitive information could potentially lead to unauthorized access or further exploitation, which may impact compliance with standards and regulations such as GDPR and HIPAA that require protection of sensitive data and secure system configurations.

However, the provided information does not explicitly detail the direct impact on compliance with these standards or regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41931. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart