CVE-2026-3918

Vvveb · Vvveb

Vvveb is vulnerable to unauthenticated remote code execution via code injection in the installation endpoint's `subdir` parameter.

Executive summary

An unauthenticated code injection vulnerability in Vvveb allows attackers to achieve remote code execution by manipulating configuration files.

Vulnerability

The installation endpoint fails to sanitize the subdir POST parameter before writing it to the env.php configuration file. An unauthenticated attacker can break out of the string context to inject arbitrary PHP code.

Business impact

With a CVSS score of 9.8, this vulnerability poses a critical threat to the integrity and availability of the web application. Successful exploitation allows an attacker to execute code as the web server user, leading to full system compromise and potential data exfiltration.

Remediation

Immediate Action: Upgrade Vvveb installations to version 1.0.8.1 or later immediately.

Proactive Monitoring: Review web server access logs for suspicious POST requests to installation endpoints and verify the integrity of the env.php configuration file for unauthorized modifications.

Compensating Controls: Deploy a Web Application Firewall (WAF) to block requests containing malicious injection patterns targeting the installation directory.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

The ability for an unauthenticated attacker to execute arbitrary code makes this an urgent security priority. Organizations using Vvveb must verify their versioning and apply the necessary updates without delay.