PT-2026-33779 · Vvveb · Vvveb
Vulncheck
·
Published
2026-04-20
·
Updated
2026-04-21
·
CVE-2026-39918
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Vvveb versions prior to 1.0.8.1
Description
An issue exists in the installation endpoint where the
subdir POST parameter is written into the env.php configuration file without proper escaping or validation. This allows unauthenticated attackers to break out of the string context in the define statement and inject arbitrary PHP code, leading to remote code execution as the web server user.Recommendations
Update to version 1.0.8.1 or later.
Fix
RCE
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Vvveb