CVE-2026-41936
XXE Injection in Vvveb CMS Admin Tools
Publication date: 2026-05-06
Last updated on: 2026-05-06
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vvveb | vvveb | to 1.0.8.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-611 | The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
Vvveb before version 1.0.8.2 contains an XML external entity (XXE) injection vulnerability in the admin Tools/Import feature. This vulnerability allows authenticated site_admin users to exploit the XML parser in system/import/xml.php by injecting file:// or php://filter entity references. These injected entities are resolved and saved into the application database, enabling attackers to read arbitrary files and modify database records.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including arbitrary file disclosure, which means attackers can read sensitive files on the server. Additionally, attackers can overwrite administrator password hashes in the database, potentially escalating their privileges to gain full administrative control over the application.