CVE-2026-41934
Authenticated Remote Code Execution in Vvveb CMS via .htaccess File Upload
Publication date: 2026-05-06
Last updated on: 2026-05-06
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vvveb | vvveb | to 1.0.8.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-184 | The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Vvveb versions before 1.0.8.2 and involves an authenticated remote code execution flaw in the admin code editor.
Low-privilege authenticated users with roles such as editor, author, contributor, or site_admin can exploit insufficient file extension restrictions to execute arbitrary code.
They do this by writing a malicious .htaccess file that maps arbitrary file extensions to the PHP handler, then uploading PHP code with that extension.
When the uploaded file is accessed via HTTP, it results in unauthenticated remote code execution.
How can this vulnerability impact me? :
This vulnerability can allow attackers with low-level authenticated access to execute arbitrary code on the server remotely without further authentication.
Such unauthorized code execution can lead to full system compromise, data theft, service disruption, or further attacks within the affected environment.