CVE-2026-41937
published 2026-05-14CVE-2026-41937: Vvveb before 1.0.8.3 contains an unrestricted file upload vulnerability in the plugin upload endpoint that allows super_admin users to execute arbitrary PHP…
PriorityP348high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
0.40%
32.1th percentile
Vvveb before 1.0.8.3 contains an unrestricted file upload vulnerability in the plugin upload endpoint that allows super_admin users to execute arbitrary PHP code by uploading a malicious plugin ZIP file. Attackers can craft a ZIP containing a plugin.php with a valid Slug header and a public/index.php file with arbitrary PHP code, which executes as the web server user once accessed via subsequent unauthenticated HTTP requests to the plugin's public path.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| givanz | vvveb | < 1.0.8.3 | 1.0.8.3 |
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.6HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gv85-3994-qprw: Vvveb before 1
ghsa_unreviewed·2026-05-14
CVE-2026-41937 [HIGH] CWE-61 GHSA-gv85-3994-qprw: Vvveb before 1
Vvveb before 1.0.8.3 contains an unrestricted file upload vulnerability in the plugin upload endpoint that allows super_admin users to execute arbitrary PHP code by uploading a malicious plugin ZIP file. Attackers can craft a ZIP containing a plugin.php with a valid Slug header and a public/index.php file with arbitrary PHP code, which executes as the web server user when accessed via unauthenticated HTTP requests to the plugin's public path.
VulDB
givanz Vvveb up to 1.0.8.2 Plugin Upload Endpoint plugin.php unrestricted upload
vuldb·2026-05-14·CVSS 8.6
CVE-2026-41937 [HIGH] givanz Vvveb up to 1.0.8.2 Plugin Upload Endpoint plugin.php unrestricted upload
A vulnerability described as critical has been identified in givanz Vvveb up to 1.0.8.2. The affected element is an unknown function of the file plugin.php of the component Plugin Upload Endpoint. Executing a manipulation can lead to unrestricted upload.
This vulnerability is handled as CVE-2026-41937. The attack can be executed remotely. There is not any exploit available.
Upgrading the affected component is recommended.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-14
Published