db.gcve.eu
Critical RCE Vulnerability in Vvveb CMS v1.0.8 Discovered
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
A remote code execution vulnerability, identified as CVE-2026-6257, has been discovered in Vvveb CMS version 1.0.8. The flaw resides in the media management functionality, where a missing return statement in the file rename handler allows authenticated attackers to rename files to restricted extensions such as .php or .htaccess. This vulnerability can be exploited by first uploading a text file, renaming it to .htaccess to inject malicious Apache directives, and then uploading a PHP file to execute arbitrary commands as the www-data user. The impact includes a complete compromise of confidentiality, integrity, and availability of the affected systems. Currently, there is no evidence of active exploitation or a public proof-of-concept. A patch has been released, and users are advised to update immediately and restrict access to the media management functionality. The CVSS score assigned to this vulnerability is 9.1, indicating a critical severity level.
Key Points: • CVE-2026-6257 in Vvveb CMS v1.0.8 allows remote code execution via file renaming. • Attackers can exploit this vulnerability to execute commands as the www-data user. • A patch is available; immediate updates and access restrictions are recommended.