Directory Listing Information Disclosure in Vvveb by Givanz
CVE-2026-41933

6.9MEDIUM

Key Information:

Vendor

Givanz

Status
Vvveb
Vendor
CVE Published:
14 May 2026

What is CVE-2026-41933?

An information disclosure vulnerability exists in Vvveb versions before 1.0.8.3, which allows unauthorized users to exploit missing index directives in .htaccess files. This oversight enables attackers to gain access to sensitive directories, including admin asset paths, plugins, themes, and media folders. Malicious users can enumerate files and directories, potentially revealing filenames, file sizes, modification timestamps, and sensitive unrendered admin templates that may expose critical route maps.

Affected Version(s)

Vvveb 0

Vvveb 0 < 1.0.8.3

Vvveb 96ae04c5e4a295e281adc1d02d77444173653deb

References

https://github.com/givanz/Vvveb/releases/tag/1.0.8.3
release-notes
https://github.com/givanz/Vvveb/commit/96ae04c5e4a295e281...
patch
https://www.vulncheck.com/advisories/vvveb-directory-list...
third-party-advisory

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Basant Kumar (@CyberWarrior9)
VulnCheck
.