CVE-2026-41935
published 2026-05-14CVE-2026-41935: Vvveb before 1.0.8.3 contains an uncontrolled recursion vulnerability in the admin controller dispatch cycle where Base::init() repeatedly invokes permission()…
PriorityP336high7.1CVSS 3.1
AVNACLPRLUINSUCLINAH
EPSS
0.27%
18.2th percentile
Vvveb before 1.0.8.3 contains an uncontrolled recursion vulnerability in the admin controller dispatch cycle where Base::init() repeatedly invokes permission() on error handlers, causing infinite recursion until PHP memory limits are exhausted. Attackers can send sustained requests to forbidden admin URLs from a low-privilege account to exhaust PHP memory on all workers and cause denial of service to legitimate traffic.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| givanz | vvveb | < 1.0.8.3 | 1.0.8.3 |
CVSS provenance
nvdv3.17.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
nvdv4.07.1HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gpm5-vv3g-pcjf: Vvveb before 1
ghsa_unreviewed·2026-05-14
CVE-2026-41935 [HIGH] CWE-209 GHSA-gpm5-vv3g-pcjf: Vvveb before 1
Vvveb before 1.0.8.3 contains an uncontrolled recursion vulnerability in the admin controller dispatch cycle where Base::init() repeatedly invokes permission() on error handlers, causing infinite recursion until PHP memory limits are exhausted. Attackers can send sustained requests to forbidden admin URLs from a low-privilege account to exhaust PHP memory on all workers and cause denial of service to legitimate traffic.
VulDB
givanz Vvveb up to 1.0.8.2 Base::init recursion
vuldb·2026-05-14·CVSS 7.1
CVE-2026-41935 [HIGH] givanz Vvveb up to 1.0.8.2 Base::init recursion
A vulnerability classified as problematic has been found in givanz Vvveb up to 1.0.8.2. The impacted element is the function Base::init. The manipulation leads to uncontrolled recursion.
This vulnerability is uniquely identified as CVE-2026-41935. The attack is possible to be carried out remotely. No exploit exists.
It is recommended to upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-14
Published