Vulnerability Description
Vvveb before version 1.0.8.2 contains an XML external entity (XXE) injection vulnerability in the admin Tools/Import feature that allows authenticated site_admin users to read arbitrary files and modify database records. Attackers can exploit the XML parser configuration in system/import/xml.php to inject file:// or php://filter entity references that are resolved and persisted into the application database, enabling arbitrary file disclosure and administrator password hash overwriting for privilege escalation.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://github.com/givanz/Vvveb/commit/86f7128a18edebe0ff47e3855558467eb0ef9106
- https://github.com/givanz/Vvveb/releases/tag/1.0.8.2
- https://github.com/givanz/Vvveb/security/advisories/GHSA-rfxr-4xpm-wrp7
- https://www.vulncheck.com/advisories/vvveb-xml-external-entity-injection-via-imp
- https://github.com/givanz/Vvveb/security/advisories/GHSA-rfxr-4xpm-wrp7
FAQ
What is CVE-2026-41936?
CVE-2026-41936 is a vulnerability with a CVSS score of 8.1 (HIGH). Vvveb before version 1.0.8.2 contains an XML external entity (XXE) injection vulnerability in the admin Tools/Import feature that allows authenticated site_admin users to read arbitrary files and modi...
How severe is CVE-2026-41936?
CVE-2026-41936 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-41936?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.