CVE-2026-41934
Deferred Deferred - Pending Action
Authenticated Remote Code Execution in Vvveb CMS via .htaccess File Upload

Publication date: 2026-05-06

Last updated on: 2026-05-26

Assigner: VulnCheck

Description
Vvveb before version 1.0.8.2 contains an authenticated remote code execution vulnerability in the admin code editor that allows low-privilege authenticated users to execute arbitrary code through insufficient file extension restrictions, with the uploaded payload then executable via subsequent unauthenticated HTTP requests. Attackers with editor, author, contributor, or site_admin roles can write a malicious .htaccess file to map arbitrary extensions to the PHP handler, then upload PHP code with that extension to achieve unauthenticated remote code execution when the file is accessed via HTTP.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-26
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-41934
EUVD
EUVD-2026-27889
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vvveb vvveb to 1.0.8.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-184 The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Vvveb versions before 1.0.8.2 and involves an authenticated remote code execution flaw in the admin code editor.

Low-privilege authenticated users with roles such as editor, author, contributor, or site_admin can exploit insufficient file extension restrictions to execute arbitrary code.

They do this by writing a malicious .htaccess file that maps arbitrary file extensions to the PHP handler, then uploading PHP code with that extension.

When the uploaded file is accessed via HTTP, it results in unauthenticated remote code execution.

Impact Analysis

This vulnerability can allow attackers with low-level authenticated access to execute arbitrary code on the server remotely without further authentication.

Such unauthorized code execution can lead to full system compromise, data theft, service disruption, or further attacks within the affected environment.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41934. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart