CVE-2026-41937— Vvveb < 1.0.8.3 Unrestricted File Upload RCE via Plugin Upload
Possible ATT&CK Techniques 3AI
T1190 · Exploit Public-Facing Application T1059 · Command and Scripting Interpreter T1505.003 · Web ShellGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-41937
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Vvveb < 1.0.8.3 Unrestricted File Upload RCE via Plugin Upload
Source: NVD (National Vulnerability Database)
Vulnerability Description
Vvveb before 1.0.8.3 contains an unrestricted file upload vulnerability in the plugin upload endpoint that allows super_admin users to execute arbitrary PHP code by uploading a malicious plugin ZIP file. Attackers can craft a ZIP containing a plugin.php with a valid Slug header and a public/index.php file with arbitrary PHP code, which executes as the web server user when accessed via unauthenticated HTTP requests to the plugin's public path.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
危险类型文件的不加限制上传
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-41937
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
Qwen3.6-35B-A3B · 6790 chars
Paid plan includes:
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month
III. Intelligence Information for CVE-2026-41937
请登录查看更多情报信息。
- https://github.com/givanz/Vvveb/releases/tag/1.0.8.3release-notes
- https://nvd.nist.gov/vuln/detail/CVE-2026-41937
Same Patch Batch · givanz · 2026-05-14 · 4 CVEs total
| CVE-2026-41935 | 7.1 HIGH | Vvveb < 1.0.8.3 Uncontrolled Recursion Denial of Service |
| CVE-2026-41932 | 6.1 MEDIUM | Vvveb < 1.0.8.3 Stored XSS via Signup Controller |
| CVE-2026-41933 | 5.3 MEDIUM | Vvveb < 1.0.8.3 Directory Listing Information Disclosure |
IV. Related Vulnerabilities
Same product: Vvveb
- CVE-2026-46408
Vvveb: checkout IDOR allows unauthorized reuse of another us - CVE-2026-46407
Vvveb: admin/auth-token IDOR allows unauthorized disclosure - CVE-2026-45800
Vvveb: Authenticated SQL injection in /user/orders via order - CVE-2026-45622
Vvveb: Unauthenticated reflected XSS in public product retur - CVE-2026-45616
Vvveb: Stored XSS in Posts allows privilege escalation via p
Same vendor: givanz
- CVE-2026-46408
Vvveb: checkout IDOR allows unauthorized reuse of another us - CVE-2026-46407
Vvveb: admin/auth-token IDOR allows unauthorized disclosure - CVE-2026-45800
Vvveb: Authenticated SQL injection in /user/orders via order - CVE-2026-45622
Vvveb: Unauthenticated reflected XSS in public product retur - CVE-2026-45616
Vvveb: Stored XSS in Posts allows privilege escalation via p
Same weakness: CWE-434
- CVE-2020-37227
WordPress Plugin HS Brand Logo Slider 2.1 Unrestricted File - CVE-2021-47965
WordPress Plugin WP Super Edit 2.5.4 Unrestricted File Uploa - CVE-2026-44088
Remote Code Execution in SzafirHost - CVE-2026-22707
Strapi Upload Plugin MIME Validation Bypass via Content API - CVE-2026-6271
Career Section <= 1.7 - Unauthenticated Arbitrary File Uplo
V. Comments for CVE-2026-41937
No comments yet