CVE-2026-34429

Name of the Vulnerable Software and Affected Versions Vvveb versions prior to 1.0.8.1

Description Authenticated users with media upload and rename permissions can execute arbitrary JavaScript by bypassing MIME type validation and renaming uploaded files to executable extensions. This is achieved by prepending a GIF89a header to HTML/JavaScript payloads to bypass upload validation and then renaming the file to a '.html' extension. This allows malicious scripts to execute in an administrator's browser session, potentially leading to the creation of backdoor accounts and the upload of malicious plugins for remote code execution.

Recommendations Update to version 1.0.8.1 or later.