Uncontrolled Recursion Vulnerability in Vvveb Admin Controller
CVE-2026-41935
7.1HIGH
What is CVE-2026-41935?
Vvveb versions prior to 1.0.8.3 contain an uncontrolled recursion flaw in the admin controller's dispatch cycle. This vulnerability occurs when the Base::init() method repeatedly invokes the permission() function in response to error handlers, leading to infinite recursion. Attackers can exploit this vulnerability by sending continuous requests to restricted admin URLs using a low-privilege account. As a result, this can exhaust PHP memory across all worker processes, resulting in denial of service and disruption of legitimate traffic.
Affected Version(s)
Vvveb 0
Vvveb 0 < 1.0.8.3
Vvveb c766e84b479dcf1bd1f25a44e4b9c9fa450769c8