Unrestricted File Upload Vulnerability in Vvveb by Givanz
CVE-2026-41938

8.7HIGH

Key Information:

Vendor

Givanz

Status
Vvveb
Vendor
CVE Published:
6 May 2026

What is CVE-2026-41938?

The Vvveb media upload handler prior to version 1.0.8.2 has a serious vulnerability allowing authenticated users with media-upload permissions to upload unauthorized files, including .htaccess files. This exploit permits the mapping of .phtml extensions to the PHP handler, enabling attackers to upload .phtml files containing malicious PHP code. Once these files are uploaded, an unauthenticated HTTP GET request can trigger their execution, potentially leading to remote code execution with the web server's privileges.

Affected Version(s)

Vvveb 0

References

https://github.com/givanz/Vvveb/releases/tag/1.0.8.2
release-notes
https://github.com/givanz/Vvveb/security/advisories/GHSA-...
vendor-advisory
https://github.com/givanz/Vvveb/commit/54a9e846fb94192f1b...
patch

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Basant Kumar (@CyberWarrior9)
VulnCheck
.