CVE-2026-41936— Vvveb < 1.0.8.2 XML External Entity Injection via Import
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-41936
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Vvveb < 1.0.8.2 XML External Entity Injection via Import
Source: NVD (National Vulnerability Database)
Vulnerability Description
Vvveb before version 1.0.8.2 contains an XML external entity (XXE) injection vulnerability in the admin Tools/Import feature that allows authenticated site_admin users to read arbitrary files and modify database records. Attackers can exploit the XML parser configuration in system/import/xml.php to inject file:// or php://filter entity references that are resolved and persisted into the application database, enabling arbitrary file disclosure and administrator password hash overwriting for privilege escalation.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
XML外部实体引用的不恰当限制(XXE)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Vvveb 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Vvveb是Givan个人开发者的一个强大且易于使用的CMS,用于构建网站、博客或电子商务商店。 Vvveb 1.0.8.2之前版本存在代码问题漏洞,该漏洞源于管理员工具导入功能中存在XML外部实体注入,可能导致认证用户读取任意文件和修改数据库记录。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-41936
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
Qwen3.6-35B-A3B · 8805 chars
Paid plan includes:
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month
III. Intelligence Information for CVE-2026-41936
请登录查看更多情报信息。
- Release Vvveb 1.0.8.2 · givanz/Vvveb · GitHubrelease-notes
- https://nvd.nist.gov/vuln/detail/CVE-2026-41936
Same Patch Batch · givanz · 2026-05-06 · 5 CVEs total
| CVE-2026-41930 | 9.8 CRITICAL | Vvveb < 1.0.8.2 Hard-coded Credentials Information Disclosure via phpMyAdmin |
| CVE-2026-41938 | 8.8 HIGH | Vvveb < 1.0.8.2 RCE via Media Upload Handler |
| CVE-2026-41934 | 8.8 HIGH | Vvveb < 1.0.8.2 Authenticated RCE via Code Editor |
| CVE-2026-41931 | 5.3 MEDIUM | Vvveb < 1.0.8.2 Information Disclosure via Debug Exception Handler |
IV. Related Vulnerabilities
Same product: Vvveb
- CVE-2026-46408
Vvveb: checkout IDOR allows unauthorized reuse of another us - CVE-2026-46407
Vvveb: admin/auth-token IDOR allows unauthorized disclosure - CVE-2026-45800
Vvveb: Authenticated SQL injection in /user/orders via order - CVE-2026-45622
Vvveb: Unauthenticated reflected XSS in public product retur - CVE-2026-45616
Vvveb: Stored XSS in Posts allows privilege escalation via p
Same vendor: givanz
- CVE-2026-46408
Vvveb: checkout IDOR allows unauthorized reuse of another us - CVE-2026-46407
Vvveb: admin/auth-token IDOR allows unauthorized disclosure - CVE-2026-45800
Vvveb: Authenticated SQL injection in /user/orders via order - CVE-2026-45622
Vvveb: Unauthenticated reflected XSS in public product retur - CVE-2026-45616
Vvveb: Stored XSS in Posts allows privilege escalation via p
Same weakness: CWE-611
- CVE-2026-44445
ERPNext: XML External Entity (XEE) Reference Vulnerability i - CVE-2026-41895
changedetection.io: XXE vulnerability in the changedetection - CVE-2026-40682
Apache OpenNLP: XXE via Dictionary Parsing in DictionaryEntr - CVE-2026-6501
ILM Informatique jOpenDocument 代码问题漏洞 - CVE-2025-14543
Improper Restriction of XML External Entity Reference vulner
V. Comments for CVE-2026-41936
No comments yet