Description

Vvveb prior to 1.0.8.1 contains a code injection vulnerability in the installation endpoint where the subdir POST parameter is written unsanitized into the env.php configuration file without escaping or validation. Attackers can inject arbitrary PHP code by breaking out of the string context in the define statement to achieve unauthenticated remote code execution as the web server user.

INFO

Published Date :

2026-04-20T14:46:33.549Z

Last Modified :

2026-04-20T15:36:55.619Z

Source :

VulnCheck
AFFECTED PRODUCTS

The following products are affected by CVE-2026-39918 vulnerability.

Vendors Products
Givanz
  • Vvveb
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-39918.

URL Resource
https://github.com/givanz/Vvveb/commit/5162c1639130bd080ab63c7d856788cd59d6b3b7 cve-icon cve-icon
https://github.com/givanz/Vvveb/releases/tag/1.0.8.1 cve-icon cve-icon
https://www.vulncheck.com/advisories/vvveb-code-injection-via-installation-endpoint cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact