CVE-2026-41936
HIGH SEVERITYCVSS Score & Metrics
Base Score
8.1 / 10
Vector String
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Vulnerability Description
Vvveb before version 1.0.8.2 contains an XML external entity (XXE) injection vulnerability in the admin Tools/Import feature that allows authenticated site_admin users to read arbitrary files and modify database records. Attackers can exploit the XML parser configuration in system/import/xml.php to inject file:// or php://filter entity references that are resolved and persisted into the application database, enabling arbitrary file disclosure and administrator password hash overwriting for privilege escalation.
Vulnerability Details
Published Date
Last Modified
CWE ID
CWE-611
Source
NVD
Vendor
givanz
Product
Vvveb
External References
- https://github.com/givanz/Vvveb/commit/86f7128a18edebe0ff47e3855558467eb0ef9106
- https://github.com/givanz/Vvveb/releases/tag/1.0.8.2
- https://github.com/givanz/Vvveb/security/advisories/GHSA-rfxr-4xpm-wrp7
- https://www.vulncheck.com/advisories/vvveb-xml-external-entity-injection-via-import
- https://github.com/givanz/Vvveb/security/advisories/GHSA-rfxr-4xpm-wrp7
Discussion (0)
Add Comment
No comments yet. Be the first!