Critical RCE Vulnerability in Vvveb CMS v1.0.8 Discovered

Critical RCE Vulnerability in Vvveb CMS v1.0.8 Discovered

First seen 21 Apr 2026, 15:30 UTC Feedlyvulnerability.circl.ludb.gcve.euinfinitsec.netinfosec.exchange 81% similarity 72.8

Article Content

Browse articles
ThreatCluster

A remote code execution vulnerability, identified as CVE-2026-6257, has been discovered in Vvveb CMS version 1.0.8. The flaw resides in the media management functionality, where a missing return statement in the file rename handler allows authenticated attackers to rename files to restricted extensions such as .php or .htaccess. This vulnerability can be exploited by first uploading a text file, renaming it to .htaccess to inject malicious Apache directives, and then uploading a PHP file to execute arbitrary commands as the www-data user. The impact includes a complete compromise of confidentiality, integrity, and availability of the affected systems. Currently, there is no evidence of active exploitation or a public proof-of-concept. A patch has been released, and users are advised to update immediately and restrict access to the media management functionality. The CVSS score assigned to this vulnerability is 9.1, indicating a critical severity level.

Key Points: • CVE-2026-6257 in Vvveb CMS v1.0.8 allows remote code execution via file renaming. • Attackers can exploit this vulnerability to execute commands as the www-data user. • A patch is available; immediate updates and access restrictions are recommended.

ThreatCluster AI

Timeline

2026-04-20
CVE-2026-6257 published
2026-04-21
Multiple articles report on the vulnerability and its impact
2026-04-21
Patch for Vvveb CMS released

Community

Browse all →