ГлавнаяУязвимости → CVE-2026-41938
8.8высокая

CVE-2026-41938

Описание

Vvveb before version 1.0.8.2 contains an unrestricted file upload vulnerability in the media upload handler that allows authenticated users with media-upload permissions to bypass extension restrictions by uploading a .htaccess file to map .phtml extensions to the PHP handler. Attackers can upload a .phtml file containing arbitrary PHP code and execute the uploaded payload through a subsequent unauthenticated HTTP GET request to the uploaded file, resulting in remote code execution with web server privileges.

CVSS
Балл8.8 — высокая
ВекторCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Источники
https://github.com/givanz/Vvveb/commit/54a9e846fb94192f1b31ae81d81d25c874662e6ahttps://github.com/givanz/Vvveb/releases/tag/1.0.8.2https://github.com/givanz/Vvveb/security/advisories/GHSA-wwmv-4g9g-p48ghttps://www.vulncheck.com/advisories/vvveb-rce-via-media-upload-handlerhttps://github.com/givanz/Vvveb/security/advisories/GHSA-wwmv-4g9g-p48g