Authenticated Remote Code Execution in Vvveb by Givanz
CVE-2026-41934

8.7HIGH

Key Information:

Vendor

Givanz

Status
Vvveb
Vendor
CVE Published:
6 May 2026

What is CVE-2026-41934?

Vvveb versions prior to 1.0.8.2 are susceptible to an authenticated remote code execution vulnerability due to inadequate restrictions on file extensions. Low-privilege authenticated users, such as editors or contributors, can exploit this flaw through the admin code editor by creating malicious .htaccess files. These files can associate arbitrary file extensions with the PHP handler, enabling these users to upload PHP scripts disguised with non-standard extensions. If accessed, these scripts can lead to unauthorized remote code execution, thus compromising the security of the web application.

Affected Version(s)

Vvveb 0

References

https://github.com/givanz/Vvveb/releases/tag/1.0.8.2
release-notes
https://github.com/givanz/Vvveb/security/advisories/GHSA-...
vendor-advisory
https://github.com/givanz/Vvveb/commit/1196561276a3f49da5...
patch

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Basant Kumar (@CyberWarrior9)
Hamed Kohi (@0xhamy)
VulnCheck
.