CVE-2026-41938

Name of the Vulnerable Software and Affected Versions Vvveb versions prior to 1.0.8.2

Description An unrestricted file upload issue exists in the media upload handler. Authenticated users with media-upload permissions can bypass extension restrictions by uploading a .htaccess file to map .phtml extensions to the PHP handler. This allows the upload of a .phtml file containing arbitrary PHP code, which can be executed by sending an unauthenticated HTTP GET request to the uploaded file, leading to remote code execution with web server privileges.

Recommendations Update to version 1.0.8.2 or later.