CVE-2026-39918
published 2026-04-20CVE-2026-39918: Vvveb prior to 1.0.8.1 contains a code injection vulnerability in the installation endpoint where the subdir POST parameter is written unsanitized into the…
PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.66%
47.1th percentile
Vvveb prior to 1.0.8.1 contains a code injection vulnerability in the installation endpoint where the subdir POST parameter is written unsanitized into the env.php configuration file without escaping or validation. Attackers can inject arbitrary PHP code by breaking out of the string context in the define statement to achieve unauthenticated remote code execution as the web server user.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| givanz | vvveb | < 1.0.8.1 | 1.0.8.1 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
givanz Vvveb up to 1.0.8.0 Installation Endpoint env.php subdir code injection
vuldb·2026-04-20·CVSS 9.2
CVE-2026-39918 [CRITICAL] givanz Vvveb up to 1.0.8.0 Installation Endpoint env.php subdir code injection
A vulnerability categorized as critical has been discovered in givanz Vvveb up to 1.0.8.0. The impacted element is an unknown function of the file env.php of the component Installation Endpoint. Such manipulation of the argument subdir leads to code injection.
This vulnerability is referenced as CVE-2026-39918. It is possible to launch the attack remotely. No exploit is available.
It is advisable to upgrade the affected component.
GHSA
GHSA-chhv-69jq-q952: Vvveb prior to 1
ghsa_unreviewed·2026-04-20
CVE-2026-39918 [CRITICAL] CWE-94 GHSA-chhv-69jq-q952: Vvveb prior to 1
Vvveb prior to 1.0.8.1 contains a code injection vulnerability in the installation endpoint where the subdir POST parameter is written unsanitized into the env.php configuration file without escaping or validation. Attackers can inject arbitrary PHP code by breaking out of the string context in the define statement to achieve unauthenticated remote code execution as the web server user.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-20
Published