Critical RCE Vulnerability in Vvveb CMS v1.0.8 Discovered

Severity: High (Score: 72.8)

Sources: infosec.exchange, db.gcve.eu, Feedly, infinitsec.net, vulnerability.circl.lu

Summary

A remote code execution vulnerability, identified as CVE-2026-6257, has been discovered in Vvveb CMS version 1.0.8. The flaw resides in the media management functionality, where a missing return statement in the file rename handler allows authenticated attackers to rename files to restricted extensions such as .php or .htaccess. This vulnerability can be exploited by first uploading a text file, renaming it to .htaccess to inject malicious Apache directives, and then uploading a PHP file to execute arbitrary commands as the www-data user. The impact includes a complete compromise of confidentiality, integrity, and availability of the affected systems. Currently, there is no evidence of active exploitation or a public proof-of-concept. A patch has been released, and users are advised to update immediately and restrict access to the media management functionality. The CVSS score assigned to this vulnerability is 9.1, indicating a critical severity level. Key Points: • CVE-2026-6257 in Vvveb CMS v1.0.8 allows remote code execution via file renaming. • Attackers can exploit this vulnerability to execute commands as the www-data user. • A patch is available; immediate updates and access restrictions are recommended.

Key Entities

• Remote Code Execution (attack_type)
• Zero-day Exploit (attack_type)
• CVE-2026-6257 (cve)
• Cwe-434 - Unrestricted Upload Of File With Dangerous Type (cwe)
• CWE-78 - OS Command Injection (cwe)
• T1059 - Command and Scripting Interpreter (mitre_attack)
• T1078 - Valid Accounts (mitre_attack)
• T1190 - Exploit Public-Facing Application (mitre_attack)
• T1505.003 - Web Shell (mitre_attack)
• Apache (platform)