CVE-2026-41938
Deferred Deferred - Pending Action
Vvveb Unrestricted File Upload RCE Vulnerability

Publication date: 2026-05-06

Last updated on: 2026-05-26

Assigner: VulnCheck

Description
Vvveb before version 1.0.8.2 contains an unrestricted file upload vulnerability in the media upload handler that allows authenticated users with media-upload permissions to bypass extension restrictions by uploading a .htaccess file to map .phtml extensions to the PHP handler. Attackers can upload a .phtml file containing arbitrary PHP code and execute the uploaded payload through a subsequent unauthenticated HTTP GET request to the uploaded file, resulting in remote code execution with web server privileges.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-26
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-14
NVD
CVE-2026-41938
EUVD
EUVD-2026-27893
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vvveb vvveb to 1.0.8.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Vvveb versions before 1.0.8.2 and involves an unrestricted file upload issue in the media upload handler.

Authenticated users with media-upload permissions can bypass file extension restrictions by uploading a .htaccess file that maps .phtml extensions to the PHP handler.

Attackers can then upload a .phtml file containing arbitrary PHP code and execute it remotely by sending an unauthenticated HTTP GET request to the uploaded file.

This results in remote code execution with the privileges of the web server.

Impact Analysis

The vulnerability allows attackers to execute arbitrary PHP code on the web server remotely.

This can lead to full compromise of the web server, including unauthorized access, data theft, data modification, or disruption of services.

Since the code execution occurs with web server privileges, attackers may be able to escalate their access or move laterally within the affected environment.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41938. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart