CRITICALCVE-2026-39918Published 2026-04-20Modified 2026-05-08CNA VulnCheck

CVE-2026-39918: Vvveb < 1.0.8.1 Code Injection via Installation Endpoint

Vvveb prior to 1.0.8.1 contains a code injection vulnerability in the installation endpoint where the subdir POST parameter is written unsanitized into the env.php configuration file without escaping or validation. Attackers can inject arbitrary PHP code by breaking out of the string context in the define statement to achieve unauthenticated remote code execution as the web server user.

CVSS v4.0: 9.2
Severity: CRITICAL
Fixed in: 1.0.8.1
Affected Products: 1

Fix available

1.0.8.15162c1639130bd080ab63c7d856788cd59d6b3b7

Patch commits

github.com

Affected packages

givanz / Vvveb
< 1.0.8.1 (from 0)
Fixed in 5162c1639130bd080ab63c7d856788cd59d6b3b7

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

github.com
github.com
vulncheck.com

Metrics

Fix available