CVE-2026-41931
Information Disclosure in Vvveb via Debug Exception Handler
Publication date: 2026-05-06
Last updated on: 2026-05-06
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vvveb | vvveb | to 1.0.8.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-209 | The product generates an error message that includes sensitive information about its environment, users, or associated data. |
| CWE-1188 | The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to obtain sensitive server information, including absolute server file paths, internal class namespaces, line numbers, and source code excerpts. This exposure of sensitive information could potentially lead to unauthorized access or further exploitation, which may impact compliance with standards and regulations such as GDPR and HIPAA that require protection of sensitive data and secure system configurations.
However, the provided information does not explicitly detail the direct impact on compliance with these standards or regulations.
Can you explain this vulnerability to me?
This vulnerability exists in Vvveb versions before 1.0.8.2 and is an information disclosure issue. It allows unauthenticated attackers to access sensitive server information by causing unhandled exceptions in the password-reset module.
Specifically, attackers can use the admin password-reset endpoint to trigger a fatal error caused by a missing namespace import. This error exposes details such as the absolute server file path, internal class namespaces, line numbers, and source code excerpts through the debug exception handler, which is shown to unauthenticated requests.
How can this vulnerability impact me? :
The impact of this vulnerability is the exposure of sensitive server information to unauthenticated attackers. This information disclosure can aid attackers in understanding the internal structure of the application, potentially facilitating further attacks such as code injection, privilege escalation, or other exploits.