cbcvebase.
CVE-2025-8518
published 2025-08-04

CVE-2025-8518: A vulnerability was found in givanz Vvveb 1.0.5. It has been rated as critical. Affected by this issue is the function Save of the file…

PriorityP355high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
1.35%
67.9th percentile
A vulnerability was found in givanz Vvveb 1.0.5. It has been rated as critical. Affected by this issue is the function Save of the file admin/controller/editor/code.php of the component Code Editor. The manipulation leads to code injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.0.6 is able to address this issue. The name of the patch is f684f3e374d04db715730fc4796e102f5ebcacb2. It is recommended to upgrade the affected component.

Affected

2 ranges
VendorProductVersion rangeFixed in
givanzvvveb
vvvebvvveb

Detection & IOCsextracted from sources · hover to see the quote

pathadmin/controller/editor/code.php
hashf684f3e374d04db715730fc4796e102f5ebcacb2
  • Monitor for authenticated POST requests targeting the Code Editor Save function at admin/controller/editor/code.php, which may indicate an attempt to inject malicious code into web-accessible files.
  • Alert on unexpected modification of web-accessible PHP files on Vvveb CMS instances (versions <= 1.0.5), particularly those written via the Code Editor component, as this is the exploitation vector for arbitrary command execution.
  • A public Metasploit module exists for this CVE (vvveb_auth_rce_cve_2025_8518.rb); correlate web server logs for exploit module signatures or known Metasploit user-agent patterns against Vvveb admin endpoints.
  • ·Exploitation requires authenticated access to the Code Editor feature; ensure admin accounts are audited and access to the Code Editor is restricted to trusted users only.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv4.02.0LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.05.8MEDIUMAV:N/AC:L/Au:M/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.