PT-2026-40944 · Givanz+1 · Vvveb

Basant Kumar

+1

·

Published

2026-05-14

·

Updated

2026-05-14

·

CVE-2026-41937

CVSS v4.0

8.6

High

VectorAV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Vvveb versions prior to 1.0.8.3
Description An unrestricted file upload issue exists in the plugin upload endpoint. This allows users with super admin privileges to execute arbitrary PHP code by uploading a malicious plugin ZIP file. The attack involves crafting a ZIP archive containing a plugin.php file with a valid Slug header and a public/index.php file containing arbitrary PHP code. This code executes with the permissions of the web server user when accessed through unauthenticated HTTP requests to the public path of the plugin.
Recommendations Update to version 1.0.8.3 or later.

Exploit

Fix

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-41937

Affected Products

Vvveb