Hard-Coded Credentials Vulnerability in Vvveb by Givanz
CVE-2026-41930

9.2CRITICAL

Key Information:

Vendor

Givanz

Status
Vvveb
Vendor
CVE Published:
6 May 2026

What is CVE-2026-41930?

Vvveb prior to version 1.0.8.2 contains a critical flaw within its docker-compose-apache.yaml configuration file where hard-coded credentials allow unauthenticated attackers to connect to the phpMyAdmin container. This vulnerability grants full read and write access to the Vvveb database, exposing sensitive information, including admin password hashes and customer data. As a result, attackers could execute account takeovers and manipulate data with ease.

Affected Version(s)

Vvveb 0

References

https://github.com/givanz/Vvveb/releases/tag/1.0.8.2
release-notes
https://github.com/givanz/Vvveb/security/advisories/GHSA-...
vendor-advisory
https://github.com/givanz/Vvveb/commit/f85ca7c2bc389bda3c...
patch

CVSS V4

Score:
9.2
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Basant Kumar (@CyberWarrior9)
Hamed Kohi (@0xhamy)
VulnCheck
.