Vulnerability Description
Vvveb before version 1.0.8.2 contains a hard-coded credentials vulnerability in its docker-compose-apache.yaml configuration that allows unauthenticated attackers to access the bundled phpMyAdmin container with pre-configured database credentials. Attackers can connect to the phpMyAdmin port to gain unrestricted read and write access to the entire Vvveb database, including administrator password hashes, customer personally identifiable information, and order data, enabling account takeover and data manipulation.
CVSS Score
CRITICAL
Related Weaknesses (CWE)
References
- https://github.com/givanz/Vvveb/commit/f85ca7c2bc389bda3cc2eca87b2514581a628c32
- https://github.com/givanz/Vvveb/releases/tag/1.0.8.2
- https://github.com/givanz/Vvveb/security/advisories/GHSA-g38h-mr9p-fjmf
- https://www.vulncheck.com/advisories/vvveb-hard-coded-credentials-information-di
- https://github.com/givanz/Vvveb/security/advisories/GHSA-g38h-mr9p-fjmf
FAQ
What is CVE-2026-41930?
CVE-2026-41930 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Vvveb before version 1.0.8.2 contains a hard-coded credentials vulnerability in its docker-compose-apache.yaml configuration that allows unauthenticated attackers to access the bundled phpMyAdmin cont...
How severe is CVE-2026-41930?
CVE-2026-41930 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-41930?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.