High severity7.2NVD Advisory· Published May 14, 2026· Updated May 14, 2026

CVE-2026-41937

Description

Vvveb before 1.0.8.3 contains an unrestricted file upload vulnerability in the plugin upload endpoint that allows super_admin users to execute arbitrary PHP code by uploading a malicious plugin ZIP file. Attackers can craft a ZIP containing a plugin.php with a valid Slug header and a public/index.php file with arbitrary PHP code, which executes as the web server user when accessed via unauthenticated HTTP requests to the plugin's public path.

Affected products

Givanz/Vvvebreferences

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/givanz/Vvveb/commit/04f0294350ec429e307cd31c2e777a4797c868d6nvd
github.com/givanz/Vvveb/releases/tag/1.0.8.3nvd
www.vulncheck.com/advisories/vvveb-unrestricted-file-upload-rce-via-plugin-uploadnvd

News mentions

No linked articles in our index yet.

cvss	0.468
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000