Unrestricted File Upload Vulnerability in Vvveb Plugin by Givanz
CVE-2026-41937

8.6HIGH

Key Information:

Vendor

Givanz

Status
Vvveb
Vendor
CVE Published:
14 May 2026

What is CVE-2026-41937?

The Vvveb plugin prior to version 1.0.8.3 contains an unrestricted file upload vulnerability within the plugin's upload endpoint. This flaw allows super_admin users to upload malicious plugin ZIP files, potentially executing arbitrary PHP code. Attackers can exploit this by crafting a ZIP file containing a plugin.php with a valid Slug header alongside a public/index.php file that embeds arbitrary PHP code, which will run on the server when accessed through unauthenticated HTTP requests to the public path of the plugin.

Affected Version(s)

Vvveb 0

Vvveb 0 < 1.0.8.3

Vvveb 04f0294350ec429e307cd31c2e777a4797c868d6

References

https://github.com/givanz/Vvveb/releases/tag/1.0.8.3
release-notes
https://github.com/givanz/Vvveb/commit/04f0294350ec429e30...
patch
https://www.vulncheck.com/advisories/vvveb-unrestricted-f...
third-party-advisory

CVSS V4

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Basant Kumar (@CyberWarrior9)
VulnCheck
.