{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/vvveb--1.0.8.3/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-41937"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Vvveb","Vvveb \u003c 1.0.8.3"],"_cs_severities":["high"],"_cs_tags":["file upload","remote code execution","web application"],"_cs_type":"advisory","_cs_vendors":["Vvveb"],"content_html":"\u003cp\u003eVvveb is vulnerable to an unrestricted file upload vulnerability (CVE-2026-41937) affecting versions prior to 1.0.8.3. The vulnerability exists in the plugin upload endpoint, allowing super_admin users to upload arbitrary files. An attacker can exploit this by crafting a malicious plugin ZIP file containing a \u003ccode\u003eplugin.php\u003c/code\u003e file with a valid \u003ccode\u003eSlug\u003c/code\u003e header, alongside a \u003ccode\u003epublic/index.php\u003c/code\u003e file containing arbitrary PHP code. Upon uploading this malicious plugin, the PHP code within \u003ccode\u003epublic/index.php\u003c/code\u003e becomes accessible via unauthenticated HTTP requests to the plugin\u0026rsquo;s public path, resulting in remote code execution (RCE) as the web server user.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a Vvveb instance running a version prior to 1.0.8.3.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates as a \u003ccode\u003esuper_admin\u003c/code\u003e user.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious ZIP archive containing two files: \u003ccode\u003eplugin.php\u003c/code\u003e and \u003ccode\u003epublic/index.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eplugin.php\u003c/code\u003e file includes a valid \u003ccode\u003eSlug\u003c/code\u003e header to bypass initial checks.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003epublic/index.php\u003c/code\u003e file contains arbitrary PHP code intended for execution.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the crafted ZIP file through the plugin upload endpoint.\u003c/li\u003e\n\u003cli\u003eThe Vvveb application extracts the ZIP file, placing the \u003ccode\u003epublic/index.php\u003c/code\u003e in a publicly accessible directory.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated HTTP request to the \u003ccode\u003epublic/index.php\u003c/code\u003e file\u0026rsquo;s URL, triggering the execution of the embedded PHP code on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability leads to arbitrary PHP code execution on the Vvveb server. This allows an attacker with \u003ccode\u003esuper_admin\u003c/code\u003e privileges to gain complete control of the affected Vvveb instance, potentially leading to data breaches, defacement, or further lateral movement within the network. Due to the unrestricted nature of the file upload, attackers can deploy backdoors, execute system commands, and compromise the confidentiality, integrity, and availability of the application and underlying system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Vvveb to version 1.0.8.3 or later to patch CVE-2026-41937.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect CVE-2026-41937 Exploitation Attempt — Vvveb Plugin Upload\u0026rdquo; to detect malicious plugin uploads based on HTTP request characteristics.\u003c/li\u003e\n\u003cli\u003eRestrict access to the plugin upload endpoint to authorized personnel only.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity, particularly requests to newly uploaded PHP files.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T15:17:40Z","date_published":"2026-05-14T15:17:40Z","id":"https://feed.craftedsignal.io/briefs/2026-05-vvveb-file-upload/","summary":"Vvveb before 1.0.8.3 is vulnerable to unrestricted file upload, allowing super_admin users to execute arbitrary PHP code by uploading a malicious plugin ZIP file containing PHP code which is then accessible via HTTP requests.","title":"Vvveb Unrestricted File Upload Vulnerability (CVE-2026-41937)","url":"https://feed.craftedsignal.io/briefs/2026-05-vvveb-file-upload/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-41935"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Vvveb","Vvveb \u003c 1.0.8.3"],"_cs_severities":["medium"],"_cs_tags":["denial of service","web application","recursion"],"_cs_type":"advisory","_cs_vendors":["Vvveb"],"content_html":"\u003cp\u003eVvveb is susceptible to an uncontrolled recursion vulnerability (CVE-2026-41935) affecting versions prior to 1.0.8.3. The vulnerability lies within the admin controller dispatch cycle, specifically how \u003ccode\u003eBase::init()\u003c/code\u003e repeatedly invokes \u003ccode\u003epermission()\u003c/code\u003e on error handlers. This recursion occurs when a low-privilege account attempts to access forbidden admin URLs. By sending sustained requests, an attacker can exhaust the PHP memory on all workers, leading to a denial-of-service condition that impacts legitimate traffic. This vulnerability poses a significant risk to web applications using Vvveb, as even a low-privilege account can trigger a widespread outage.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker obtains a low-privilege account on the Vvveb application.\u003c/li\u003e\n\u003cli\u003eAttacker identifies forbidden admin URLs (e.g., \u003ccode\u003e/admin/config\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAttacker crafts HTTP requests targeting these forbidden admin URLs.\u003c/li\u003e\n\u003cli\u003eThe requests are sent to the Vvveb server.\u003c/li\u003e\n\u003cli\u003eThe server\u0026rsquo;s admin controller dispatch cycle initiates.\u003c/li\u003e\n\u003cli\u003eDue to insufficient permissions, \u003ccode\u003eBase::init()\u003c/code\u003e invokes \u003ccode\u003epermission()\u003c/code\u003e on error handlers.\u003c/li\u003e\n\u003cli\u003eThe error handler triggers a recursive call back to \u003ccode\u003epermission()\u003c/code\u003e, repeating infinitely.\u003c/li\u003e\n\u003cli\u003eThis uncontrolled recursion exhausts PHP memory limits on all workers, causing a denial-of-service condition.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability leads to a denial-of-service condition affecting all users of the Vvveb application. While the vulnerability requires a low-privilege account, the resulting impact can be severe, potentially disrupting critical services and causing financial losses. The CVSS v3.1 base score is 7.1, indicating a high risk of exploitation and potential damage. The number of affected victims depends on the popularity and deployment size of the Vvveb instance.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Vvveb to version 1.0.8.3 or later to patch CVE-2026-41935; reference the advisory in the references section.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CVE-2026-41935 Exploitation Attempt - Multiple 403 Errors\u0026rdquo; to identify potential exploitation attempts by monitoring web server logs for frequent 403 errors.\u003c/li\u003e\n\u003cli\u003eMonitor web server resource consumption (CPU, memory) for unexpected spikes, which could indicate a denial-of-service attack stemming from the uncontrolled recursion.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T15:17:27Z","date_published":"2026-05-14T15:17:27Z","id":"https://feed.craftedsignal.io/briefs/2026-05-vvveb-recursion-dos/","summary":"Vvveb before version 1.0.8.3 is vulnerable to an uncontrolled recursion vulnerability in the admin controller dispatch cycle that allows a low-privilege attacker to cause denial of service by exhausting PHP memory.","title":"Vvveb Uncontrolled Recursion Denial of Service (CVE-2026-41935)","url":"https://feed.craftedsignal.io/briefs/2026-05-vvveb-recursion-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Vvveb \u003c 1.0.8.3","version":"https://jsonfeed.org/version/1.1"}