{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/vvveb/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-41930"}],"_cs_exploited":false,"_cs_products":["Vvveb","phpMyAdmin"],"_cs_severities":["critical"],"_cs_tags":["hardcoded-credentials","phpmyadmin","docker","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Vvveb"],"content_html":"\u003cp\u003eVvveb, a web page builder, versions before 1.0.8.2 are susceptible to a critical vulnerability stemming from hardcoded credentials within the \u003ccode\u003edocker-compose-apache.yaml\u003c/code\u003e file. This misconfiguration exposes the bundled phpMyAdmin container, providing unauthenticated attackers with a readily available pathway to compromise the entire Vvveb database. By exploiting these default credentials, attackers circumvent normal authentication procedures and gain complete control over sensitive data. This includes administrator password hashes, customer Personally Identifiable Information (PII), and order details. The ease of exploitation and the potential for significant data breach make this vulnerability a critical risk for any organization using affected versions of Vvveb.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a Vvveb instance running a version prior to 1.0.8.2.\u003c/li\u003e\n\u003cli\u003eAttacker accesses the phpMyAdmin service exposed by the vulnerable Vvveb instance, typically on port 80 or 443 depending on the configuration.\u003c/li\u003e\n\u003cli\u003eAttacker uses the hardcoded credentials found in the \u003ccode\u003edocker-compose-apache.yaml\u003c/code\u003e file to authenticate to the phpMyAdmin interface without needing to bypass any security measures.\u003c/li\u003e\n\u003cli\u003eUpon successful authentication, the attacker gains unrestricted read and write access to the entire Vvveb database through the phpMyAdmin interface.\u003c/li\u003e\n\u003cli\u003eAttacker extracts sensitive information, including administrator password hashes, customer PII, and order data.\u003c/li\u003e\n\u003cli\u003eAttacker uses the compromised administrator password hashes to gain administrative access to the Vvveb application.\u003c/li\u003e\n\u003cli\u003eAttacker manipulates database records to modify user accounts, alter orders, or inject malicious code into the website.\u003c/li\u003e\n\u003cli\u003eAttacker achieves full account takeover and data manipulation capabilities, potentially leading to significant financial loss and reputational damage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthenticated attackers to compromise the entire Vvveb database. This grants access to sensitive customer data, including PII and financial information, as well as administrator credentials. Consequences include account takeover, data theft, and manipulation of website content. Given the widespread use of phpMyAdmin and the ease of exploitation, organizations running vulnerable versions of Vvveb are at significant risk of data breaches and financial losses. The CVSS v3.1 base score of 9.8 highlights the critical nature of this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Vvveb to version 1.0.8.2 or later to patch CVE-2026-41930.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, restrict access to the phpMyAdmin container by modifying firewall rules to only allow access from trusted IP addresses or internal networks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect unauthorized access attempts to the phpMyAdmin interface via specific HTTP requests targeting phpMyAdmin login pages.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-06T19:16:37Z","date_published":"2026-05-06T19:16:37Z","id":"/briefs/2026-05-vvveb-hardcoded-credentials/","summary":"Vvveb versions before 1.0.8.2 contain a hardcoded credentials vulnerability in the docker-compose-apache.yaml configuration, allowing unauthenticated attackers to access the phpMyAdmin container and gain unrestricted read and write access to the Vvveb database, leading to account takeover and data manipulation.","title":"Vvveb Hardcoded Credentials Vulnerability in phpMyAdmin Container","url":"https://feed.craftedsignal.io/briefs/2026-05-vvveb-hardcoded-credentials/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-41936"}],"_cs_exploited":false,"_cs_products":["Vvveb","Vvveb \u003c 1.0.8.2"],"_cs_severities":["high"],"_cs_tags":["xxe","vulnerability","injection"],"_cs_type":"advisory","_cs_vendors":["Vvveb"],"content_html":"\u003cp\u003eVvveb, a content management system, is susceptible to an XML External Entity (XXE) injection vulnerability (CVE-2026-41936) affecting versions prior to 1.0.8.2. The vulnerability resides in the admin Tools/Import functionality, specifically within the \u003ccode\u003esystem/import/xml.php\u003c/code\u003e file. Authenticated users with site_admin privileges can exploit this flaw to inject malicious XML payloads containing file:// or php://filter entity references. This allows attackers to read arbitrary files from the server, including sensitive configuration files and application source code. Furthermore, successful exploitation can lead to the modification of database records, potentially enabling administrator password hash overwriting for privilege escalation, and gaining complete control over the CMS. This vulnerability poses a significant risk to organizations using Vvveb for managing their websites, as it allows unauthorized access to sensitive data and system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the Vvveb CMS as a site administrator.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the admin Tools/Import section.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious XML file containing an XXE payload with a \u003ccode\u003efile://\u003c/code\u003e or \u003ccode\u003ephp://filter\u003c/code\u003e wrapper.\u003c/li\u003e\n\u003cli\u003eThe malicious XML payload is uploaded through the import feature.\u003c/li\u003e\n\u003cli\u003eThe Vvveb application parses the XML file using the vulnerable \u003ccode\u003esystem/import/xml.php\u003c/code\u003e script.\u003c/li\u003e\n\u003cli\u003eThe XML parser resolves the external entities, reading arbitrary files from the system.\u003c/li\u003e\n\u003cli\u003eThe application then persists the resolved entities into the application database.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages database modification to overwrite the administrator password hash, gaining elevated privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this XXE vulnerability can have severe consequences. An attacker can read sensitive files from the server, potentially exposing confidential data, source code, and API keys. More critically, the ability to modify database records allows for administrator password hash overwriting, leading to complete compromise of the Vvveb CMS. There is no mention of victim count or sector targeting in the source material.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Vvveb to version 1.0.8.2 or later to patch CVE-2026-41936.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect exploitation attempts against the \u003ccode\u003esystem/import/xml.php\u003c/code\u003e endpoint in Vvveb.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization for XML files uploaded through the admin interface to prevent XXE attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-06T19:16:37Z","date_published":"2026-05-06T19:16:37Z","id":"/briefs/2024-01-vvveb-xxe/","summary":"Vvveb before 1.0.8.2 is vulnerable to XML external entity (XXE) injection in the admin import feature, allowing authenticated site administrators to read arbitrary files and modify database records, potentially leading to privilege escalation.","title":"Vvveb CMS XML External Entity Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-vvveb-xxe/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-41934"}],"_cs_exploited":false,"_cs_products":["Vvveb"],"_cs_severities":["critical"],"_cs_tags":["rce","htaccess","vvveb","CVE-2026-41934","attack.execution"],"_cs_type":"advisory","_cs_vendors":["Vvveb"],"content_html":"\u003cp\u003eVvveb versions prior to 1.0.8.2 are susceptible to an authenticated remote code execution vulnerability, identified as CVE-2026-41934. This flaw allows attackers with low-privilege accounts (editor, author, contributor, or site_admin) to execute arbitrary code on the server. The vulnerability stems from insufficient file extension restrictions in the admin code editor. An attacker can leverage this weakness to upload a specially crafted .htaccess file, which maps arbitrary file extensions to the PHP handler. Subsequently, they can upload a PHP file with the newly mapped extension. When this PHP file is accessed via HTTP, the server executes the embedded code, resulting in unauthenticated remote code execution. This poses a significant threat, as it enables attackers to compromise the entire web server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains authenticated access to the Vvveb application with editor, author, contributor, or site_admin privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the admin code editor within the Vvveb application.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious .htaccess file that maps an arbitrary file extension (e.g., .test) to the PHP handler. The .htaccess file contains the line: \u003ccode\u003eAddType application/x-httpd-php .test\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eThe attacker uses the admin code editor to upload the malicious .htaccess file to a publicly accessible directory on the web server.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a PHP file containing malicious code and saves it with the file extension mapped in the .htaccess file (e.g., shell.test).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the PHP file (shell.test) to the same directory as the .htaccess file using the admin code editor.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP request to the uploaded PHP file (e.g., \u003ccode\u003ehttp://example.com/path/to/shell.test\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe web server, due to the .htaccess configuration, interprets the .test file as PHP and executes the malicious code, achieving remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41934 allows an attacker to execute arbitrary code on the web server hosting Vvveb. This can lead to complete system compromise, data theft, defacement of the website, or further lateral movement within the network. The vulnerability affects all Vvveb instances running versions prior to 1.0.8.2. Due to the ease of exploitation, a wide range of Vvveb installations are potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Vvveb to version 1.0.8.2 or later to patch CVE-2026-41934 immediately.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect Suspicious .htaccess Uploads\u0026rdquo; to detect attempts to upload malicious .htaccess files via the webserver logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server access logs for requests to files with unusual extensions (e.g., .test, .custom) after the upload of .htaccess files to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect Web Request for unusual file extensions\u0026rdquo; to detect requests to files with unusual file extensions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-vvveb-rce/","summary":"Vvveb versions before 1.0.8.2 are vulnerable to authenticated remote code execution (RCE), enabling low-privilege users to execute arbitrary code by uploading a malicious .htaccess file and subsequently uploading PHP code with a mapped extension, resulting in unauthenticated RCE upon file access.","title":"Vvveb Authenticated Remote Code Execution via .htaccess Upload (CVE-2026-41934)","url":"https://feed.craftedsignal.io/briefs/2024-01-vvveb-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Vvveb","version":"https://jsonfeed.org/version/1.1"}