top of page
perceptive_background_267k.jpg

Vvveb before version 1.0.8.2 contains an unrestricted file upload vulnerability in the media upload handler that allows authenticated users with media-upload pe…

Published:

5 May 2026 at 22:00:00

Alert date:

6 May 2026 at 20:01:38

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies

CVE-2026-41938 is an unrestricted file upload vulnerability in Vvveb before version 1.0.8.2 that affects the media upload handler. Authenticated users with media-upload permissions can bypass extension restrictions by uploading a .htaccess file to map .phtml extensions to the PHP handler. Attackers can then upload a .phtml file containing arbitrary PHP code and trigger execution through an unauthenticated HTTP GET request to the uploaded file. This results in remote code execution with web server privileges, making it a critical security issue.

Technical details

Mitigation steps:

Affected products:

Vvveb

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-41938
https://github.com/givanz/Vvveb/commit/54a9e846fb94192f1b31ae81d81d25c874662e6a
https://github.com/givanz/Vvveb/releases/tag/1.0.8.2
https://github.com/givanz/Vvveb/security/advisories/GHSA-wwmv-4g9g-p48g
https://www.vulncheck.com/advisories/vvveb-rce-via-media-upload-handler

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page