Vulnerability Description
Vvveb before version 1.0.8.2 contains an unrestricted file upload vulnerability in the media upload handler that allows authenticated users with media-upload permissions to bypass extension restrictions by uploading a .htaccess file to map .phtml extensions to the PHP handler. Attackers can upload a .phtml file containing arbitrary PHP code and trigger execution by sending an unauthenticated HTTP GET request to the uploaded file, resulting in remote code execution with web server privileges.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://github.com/givanz/Vvveb/commit/54a9e846fb94192f1b31ae81d81d25c874662e6a
- https://github.com/givanz/Vvveb/releases/tag/1.0.8.2
- https://github.com/givanz/Vvveb/security/advisories/GHSA-wwmv-4g9g-p48g
- https://www.vulncheck.com/advisories/vvveb-rce-via-media-upload-handler
- https://github.com/givanz/Vvveb/security/advisories/GHSA-wwmv-4g9g-p48g
FAQ
What is CVE-2026-41938?
CVE-2026-41938 is a vulnerability with a CVSS score of 8.8 (HIGH). Vvveb before version 1.0.8.2 contains an unrestricted file upload vulnerability in the media upload handler that allows authenticated users with media-upload permissions to bypass extension restrictio...
How severe is CVE-2026-41938?
CVE-2026-41938 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-41938?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.