CVE-2026-41936

CVSS v3.1

8.1

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Vvveb versions prior to 1.0.8.2

Description An XML external entity (XXE) injection issue exists in the admin Tools/Import feature. Authenticated site admin users can exploit the XML parser configuration in the 'system/import/xml.php' endpoint to inject file:// or php://filter entity references. These references are resolved and persisted into the application database, allowing for arbitrary file disclosure and the overwriting of administrator password hashes to achieve privilege escalation.

Recommendations Update to version 1.0.8.2 or later. As a temporary workaround, restrict access to the 'system/import/xml.php' endpoint.

Exploit

Fix

XXE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-611

Related Identifiers

CVE-2026-41936

Affected Products

Vvveb

CVE-2026-41936

Weakness Enumeration

Related Identifiers

Affected Products

References · 6