CVE-2026-6249

Name of the Vulnerable Software and Affected Versions Vvveb CMS version 1.0.8

Description A remote code execution issue exists in the media upload handler. Authenticated attackers can execute arbitrary operating system commands by uploading a PHP webshell using a .phtml extension. This process involves bypassing the extension deny-list to upload malicious files to the publicly accessible media directory and subsequently requesting the file over HTTP to achieve full server compromise.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.