CVE-2026-41937: Unrestricted Upload of File with Dangerous Type in givanz Vvveb
Vvveb before 1.0.8.3 contains an unrestricted file upload vulnerability in the plugin upload endpoint that allows super_admin users to execute arbitrary PHP code by uploading a malicious plugin ZIP file. Attackers can craft a ZIP containing a plugin.php with a valid Slug header and a public/index.php file with arbitrary PHP code, which executes as the web server user when accessed via unauthenticated HTTP requests to the plugin's public path.
AI Analysis
Technical Summary
CVE-2026-41937 describes an unrestricted file upload vulnerability in the givanz Vvveb product before version 1.0.8.3. The issue exists in the plugin upload endpoint, where super_admin users can upload a crafted ZIP file containing a plugin.php with a valid Slug header and a public/index.php file with arbitrary PHP code. When the public path of the plugin is accessed via unauthenticated HTTP requests, the malicious PHP code executes with the privileges of the web server user. This allows remote code execution through crafted plugin uploads. The CVSS 4.0 base score is 8.6, indicating high severity. No official patch or remediation level has been published by the vendor as of the data provided.
Potential Impact
Successful exploitation allows an attacker with super_admin privileges to execute arbitrary PHP code on the web server, potentially leading to full server compromise or unauthorized actions performed with the web server's privileges. This can result in data theft, service disruption, or further internal network compromise. The vulnerability does not require user interaction and can be triggered via unauthenticated HTTP requests to the uploaded plugin's public path.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict super_admin user access to trusted personnel only and monitor for suspicious plugin uploads. Consider disabling plugin uploads if feasible. No vendor advisory or official fix has been published to date.
CVE-2026-41937: Unrestricted Upload of File with Dangerous Type in givanz Vvveb
Description
Vvveb before 1.0.8.3 contains an unrestricted file upload vulnerability in the plugin upload endpoint that allows super_admin users to execute arbitrary PHP code by uploading a malicious plugin ZIP file. Attackers can craft a ZIP containing a plugin.php with a valid Slug header and a public/index.php file with arbitrary PHP code, which executes as the web server user when accessed via unauthenticated HTTP requests to the plugin's public path.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-41937 describes an unrestricted file upload vulnerability in the givanz Vvveb product before version 1.0.8.3. The issue exists in the plugin upload endpoint, where super_admin users can upload a crafted ZIP file containing a plugin.php with a valid Slug header and a public/index.php file with arbitrary PHP code. When the public path of the plugin is accessed via unauthenticated HTTP requests, the malicious PHP code executes with the privileges of the web server user. This allows remote code execution through crafted plugin uploads. The CVSS 4.0 base score is 8.6, indicating high severity. No official patch or remediation level has been published by the vendor as of the data provided.
Potential Impact
Successful exploitation allows an attacker with super_admin privileges to execute arbitrary PHP code on the web server, potentially leading to full server compromise or unauthorized actions performed with the web server's privileges. This can result in data theft, service disruption, or further internal network compromise. The vulnerability does not require user interaction and can be triggered via unauthenticated HTTP requests to the uploaded plugin's public path.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict super_admin user access to trusted personnel only and monitor for suspicious plugin uploads. Consider disabling plugin uploads if feasible. No vendor advisory or official fix has been published to date.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-04-22T18:50:43.621Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a05e885ec166c07b0eee24d
Added to database: 5/14/2026, 3:21:41 PM
Last enriched: 5/14/2026, 3:37:22 PM
Last updated: 5/15/2026, 6:27:12 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.