CVE-2026-34427
published 2026-04-20CVE-2026-34427: Vvveb prior to 1.0.8.1 contains a privilege escalation vulnerability in the admin user profile save endpoint that allows authenticated users to modify…
PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.56%
42.5th percentile
Vvveb prior to 1.0.8.1 contains a privilege escalation vulnerability in the admin user profile save endpoint that allows authenticated users to modify privileged fields on their own profile. Attackers can inject role_id=1 into profile save requests to escalate to Super Administrator privileges, enabling plugin upload functionality for remote code execution.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| givanz | vvveb | < 1.0.8.1 | 1.0.8.1 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fxgc-2fpp-hx5w: Vvveb prior to 1
ghsa_unreviewed·2026-04-20
CVE-2026-34427 [HIGH] CWE-915 GHSA-fxgc-2fpp-hx5w: Vvveb prior to 1
Vvveb prior to 1.0.8.1 contains a privilege escalation vulnerability in the admin user profile save endpoint that allows authenticated users to modify privileged fields on their own profile. Attackers can inject role_id=1 into profile save requests to escalate to Super Administrator privileges, enabling plugin upload functionality for remote code execution.
VulDB
givanz Vvveb up to 1.0.8.0 Plugin Upload dynamically-determined object attributes
vuldb·2026-04-20·CVSS 8.7
CVE-2026-34427 [HIGH] givanz Vvveb up to 1.0.8.0 Plugin Upload dynamically-determined object attributes
A vulnerability was found in givanz Vvveb up to 1.0.8.0 and classified as critical. This vulnerability affects unknown code of the component Plugin Upload Handler. Executing a manipulation can lead to dynamically-determined object attributes.
This vulnerability is handled as CVE-2026-34427. The attack can be executed remotely. There is not any exploit available.
It is suggested to upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-20
Published