CVE-2026-41931
Information Disclosure in Vvveb via Debug Exception Handler
Publication date: 2026-05-06
Last updated on: 2026-05-06
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vvveb | vvveb | to 1.0.8.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-209 | The product generates an error message that includes sensitive information about its environment, users, or associated data. |
| CWE-1188 | The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Vvveb versions before 1.0.8.2 and is an information disclosure issue. It allows unauthenticated attackers to access sensitive server information by causing unhandled exceptions in the password-reset module.
Specifically, attackers can use the admin password-reset endpoint to trigger a fatal error caused by a missing namespace import. This error exposes details such as the absolute server file path, internal class namespaces, line numbers, and source code excerpts through the debug exception handler, which is shown to unauthenticated requests.
How can this vulnerability impact me? :
The impact of this vulnerability is the exposure of sensitive server information to unauthenticated attackers. This information disclosure can aid attackers in understanding the internal structure of the application, potentially facilitating further attacks such as code injection, privilege escalation, or other exploits.