PT-2026-33828 · Vvveb Cms · Vvveb Cms
Published
2026-04-20
·
Updated
2026-04-21
·
CVE-2026-6257
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Vvveb CMS version 1.0.8
Description
A remote code execution flaw exists in the media management functionality. A missing return statement in the file rename handler allows authenticated attackers to rename files to blocked extensions such as '.php' or '.htaccess'. This logic flaw can be exploited by uploading a text file and renaming it to '.htaccess' to inject Apache directives that register PHP-executable MIME types, followed by uploading another file and renaming it to '.php' to execute arbitrary operating system commands as the
www-data user.Recommendations
Update Vvveb CMS version 1.0.8 to a newer version that contains a fix for this issue.
Fix
RCE
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Vvveb Cms