CVE-2026-41934: CWE-184: Incomplete List of Disallowed Inputs in givanz Vvveb
Vvveb before version 1.0.8.2 contains an authenticated remote code execution vulnerability in the admin code editor that allows low-privilege authenticated users to execute arbitrary code by exploiting insufficient file extension restrictions. Attackers with editor, author, contributor, or site_admin roles can write a malicious .htaccess file to map arbitrary extensions to the PHP handler, then upload PHP code with that extension to achieve unauthenticated remote code execution when the file is accessed via HTTP.
AI Analysis
Technical Summary
CVE-2026-41934 describes an authenticated remote code execution vulnerability in the admin code editor of Vvveb before version 1.0.8.2. The flaw arises from an incomplete list of disallowed file extensions, allowing low-privilege authenticated users to upload a malicious .htaccess file that remaps arbitrary file extensions to the PHP handler. Subsequently, they can upload PHP code with these extensions, which executes remotely without authentication when accessed over HTTP. This vulnerability affects users with editor, author, contributor, or site_admin roles and enables escalation to remote code execution.
Potential Impact
Successful exploitation allows low-privilege authenticated users to execute arbitrary code on the server remotely without further authentication. This can lead to full system compromise, data breaches, or service disruption. The vulnerability affects all versions of Vvveb prior to 1.0.8.2. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch links are provided, users should monitor for updates from the vendor regarding version 1.0.8.2 or later. Until a patch is available, restrict access to roles capable of uploading files and consider disabling the admin code editor for lower-privilege users to reduce risk.
CVE-2026-41934: CWE-184: Incomplete List of Disallowed Inputs in givanz Vvveb
Description
Vvveb before version 1.0.8.2 contains an authenticated remote code execution vulnerability in the admin code editor that allows low-privilege authenticated users to execute arbitrary code by exploiting insufficient file extension restrictions. Attackers with editor, author, contributor, or site_admin roles can write a malicious .htaccess file to map arbitrary extensions to the PHP handler, then upload PHP code with that extension to achieve unauthenticated remote code execution when the file is accessed via HTTP.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-41934 describes an authenticated remote code execution vulnerability in the admin code editor of Vvveb before version 1.0.8.2. The flaw arises from an incomplete list of disallowed file extensions, allowing low-privilege authenticated users to upload a malicious .htaccess file that remaps arbitrary file extensions to the PHP handler. Subsequently, they can upload PHP code with these extensions, which executes remotely without authentication when accessed over HTTP. This vulnerability affects users with editor, author, contributor, or site_admin roles and enables escalation to remote code execution.
Potential Impact
Successful exploitation allows low-privilege authenticated users to execute arbitrary code on the server remotely without further authentication. This can lead to full system compromise, data breaches, or service disruption. The vulnerability affects all versions of Vvveb prior to 1.0.8.2. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch links are provided, users should monitor for updates from the vendor regarding version 1.0.8.2 or later. Until a patch is available, restrict access to roles capable of uploading files and consider disabling the admin code editor for lower-privilege users to reduce risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-04-22T18:50:43.620Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fb9131cbff5d86102f43ba
Added to database: 5/6/2026, 7:06:25 PM
Last enriched: 5/6/2026, 7:21:37 PM
Last updated: 5/7/2026, 7:40:15 AM
Views: 16
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.