CVE-2026-3918
Vvveb · Vvveb
Vvveb is vulnerable to unauthenticated remote code execution via code injection in the installation endpoint's `subdir` parameter.
Executive summary
An unauthenticated code injection vulnerability in Vvveb allows attackers to achieve remote code execution by manipulating configuration files.
Vulnerability
The installation endpoint fails to sanitize the subdir POST parameter before writing it to the env.php configuration file. An unauthenticated attacker can break out of the string context to inject arbitrary PHP code.
Business impact
With a CVSS score of 9.8, this vulnerability poses a critical threat to the integrity and availability of the web application. Successful exploitation allows an attacker to execute code as the web server user, leading to full system compromise and potential data exfiltration.
Remediation
Immediate Action: Upgrade Vvveb installations to version 1.0.8.1 or later immediately.
Proactive Monitoring: Review web server access logs for suspicious POST requests to installation endpoints and verify the integrity of the env.php configuration file for unauthorized modifications.
Compensating Controls: Deploy a Web Application Firewall (WAF) to block requests containing malicious injection patterns targeting the installation directory.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
The ability for an unauthenticated attacker to execute arbitrary code makes this an urgent security priority. Organizations using Vvveb must verify their versioning and apply the necessary updates without delay.