PT-2026-40944 · Givanz+1 · Vvveb
Basant Kumar
+1
·
Published
2026-05-14
·
Updated
2026-05-14
·
CVE-2026-41937
CVSS v4.0
8.6
High
| Vector | AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Vvveb versions prior to 1.0.8.3
Description
An unrestricted file upload issue exists in the plugin upload endpoint. This allows users with super admin privileges to execute arbitrary PHP code by uploading a malicious plugin ZIP file. The attack involves crafting a ZIP archive containing a
plugin.php file with a valid Slug header and a public/index.php file containing arbitrary PHP code. This code executes with the permissions of the web server user when accessed through unauthenticated HTTP requests to the public path of the plugin.Recommendations
Update to version 1.0.8.3 or later.
Exploit
Fix
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Vvveb