CVE-2026-41936
HIGH
NVD
CVSS Score
8.1
Severity
HIGH
Published
May 06, 2026
Vendor
unknown
Description
Vvveb before version 1.0.8.2 contains an XML external entity (XXE) injection vulnerability in the admin Tools/Import feature that allows authenticated site_admin users to read arbitrary files and modify database records. Attackers can exploit the XML parser configuration in system/import/xml.php to inject file:// or php://filter entity references that are resolved and persisted into the application database, enabling arbitrary file disclosure and administrator password hash overwriting for privilege escalation.
References
- https://github.com/givanz/Vvveb/commit/86f7128a18edebe0ff47e3855558467eb0ef9106
- https://github.com/givanz/Vvveb/releases/tag/1.0.8.2
- https://github.com/givanz/Vvveb/security/advisories/GHSA-rfxr-4xpm-wrp7
- https://www.vulncheck.com/advisories/vvveb-xml-external-entity-injection-via-import
- https://github.com/givanz/Vvveb/security/advisories/GHSA-rfxr-4xpm-wrp7