{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39918", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-07T20:57:06.209Z", "datePublished": "2026-04-20T14:46:33.549Z", "dateUpdated": "2026-04-20T15:36:55.619Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-20T14:46:33.549Z"}, "title": "Vvveb < 1.0.8.1 Code Injection via Installation Endpoint", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "affected": [{"vendor": "givanz", "product": "Vvveb", "repo": "https://github.com/givanz/Vvveb", "versions": [{"status": "affected", "version": "0", "lessThan": "1.0.8.1", "versionType": "semver"}, {"status": "unaffected", "version": "5162c1639130bd080ab63c7d856788cd59d6b3b7", "versionType": "git"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Vvveb prior to\u00a01.0.8.1 contains a code injection vulnerability in the installation endpoint where the subdir POST parameter is written unsanitized into the env.php configuration file without escaping or validation. Attackers can inject arbitrary PHP code by breaking out of the string context in the define statement to achieve unauthenticated remote code execution as the web server user.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Vvveb prior to&nbsp;1.0.8.1 contains a code injection vulnerability in the installation endpoint where the subdir POST parameter is written unsanitized into the env.php configuration file without escaping or validation. Attackers can inject arbitrary PHP code by breaking out of the string context in the define statement to achieve unauthenticated remote code execution as the web server user.<br>"}]}], "references": [{"url": "https://github.com/givanz/Vvveb/releases/tag/1.0.8.1", "tags": ["release-notes"]}, {"url": "https://github.com/givanz/Vvveb/commit/5162c1639130bd080ab63c7d856788cd59d6b3b7", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/vvveb-code-injection-via-installation-endpoint", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "CRITICAL", "baseScore": 9.2, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "CRITICAL", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "credits": [{"lang": "en", "value": "Mohammed EL OUARDANI (sh4dowalker)", "type": "finder"}, {"lang": "en", "value": "VulnCheck", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T15:30:35.694606Z", "id": "CVE-2026-39918", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T15:36:55.619Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39918", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-20T15:30:35.694606Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T15:36:49.574Z"}}], "cna": {"title": "Vvveb < 1.0.8.1 Code Injection via Installation Endpoint", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Mohammed EL OUARDANI (sh4dowalker)"}, {"lang": "en", "type": "coordinator", "value": "VulnCheck"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/givanz/Vvveb", "vendor": "givanz", "product": "Vvveb", "versions": [{"status": "affected", "version": "0", "lessThan": "1.0.8.1", "versionType": "semver"}, {"status": "unaffected", "version": "5162c1639130bd080ab63c7d856788cd59d6b3b7", "versionType": "git"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/givanz/Vvveb/releases/tag/1.0.8.1", "tags": ["release-notes"]}, {"url": "https://github.com/givanz/Vvveb/commit/5162c1639130bd080ab63c7d856788cd59d6b3b7", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/vvveb-code-injection-via-installation-endpoint", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Vvveb prior to\u00a01.0.8.1 contains a code injection vulnerability in the installation endpoint where the subdir POST parameter is written unsanitized into the env.php configuration file without escaping or validation. Attackers can inject arbitrary PHP code by breaking out of the string context in the define statement to achieve unauthenticated remote code execution as the web server user.", "supportingMedia": [{"type": "text/html", "value": "Vvveb prior to&nbsp;1.0.8.1 contains a code injection vulnerability in the installation endpoint where the subdir POST parameter is written unsanitized into the env.php configuration file without escaping or validation. Attackers can inject arbitrary PHP code by breaking out of the string context in the define statement to achieve unauthenticated remote code execution as the web server user.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-20T14:46:33.549Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39918", "state": "PUBLISHED", "dateUpdated": "2026-04-20T15:36:55.619Z", "dateReserved": "2026-04-07T20:57:06.209Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-04-20T14:46:33.549Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Vvveb prior to\u00a01.0.8.1 contains a code injection vulnerability in the installation endpoint where the subdir POST parameter is written unsanitized into the env.php configuration file without escaping or validation. Attackers can inject arbitrary PHP code by breaking out of the string context in the define statement to achieve unauthenticated remote code execution as the web server user."}], "id": "CVE-2026-39918", "lastModified": "2026-04-20T16:16:45.243", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.2, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-20T16:16:45.243", "references": [{"source": "disclosure@vulncheck.com", "url": "https://github.com/givanz/Vvveb/commit/5162c1639130bd080ab63c7d856788cd59d6b3b7"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/givanz/Vvveb/releases/tag/1.0.8.1"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/vvveb-code-injection-via-installation-endpoint"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.8.1)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "code_commit", "value": "5162c1639130bd080ab63c7d856788cd59d6b3b7"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Vvveb", "source": "cna", "vendor": "givanz"}, "product": "vvveb", "vendor": "givanz"}], "analysis": {"en": {"generated_at": "2026-04-20T16:28:09.517874+00:00", "value": {"mitigation_remediation": ["Upgrade Vvveb to version 1.0.8.1 or newer, which removes the unsanitized write to env.php.", "If an upgrade is not immediately possible, disable or remove the installation endpoint to block POST requests that could be abused.", "Ensure that env.php and other configuration files have restrictive permissions so that the web server can write only what is necessary, limiting the impact of any remaining code injection risks."], "summary": {"action": "Apply patch", "impact": "Remote code execution"}, "threat_synthesis": {"affected_systems": "The affected product is Vvveb from givanz, versions prior to 1.0.8.1. Any deployment running a version older than 1.0.8.1 that has the installation endpoint exposed is susceptible to exploitation.", "description_and_impact": "This vulnerability allows an attacker to inject arbitrary PHP code via the subdir POST parameter in the Vvveb installation endpoint. Because the parameter is written unsanitized into the env.php file, attackers can break out of a string literal and define malicious code, enabling unauthenticated remote code execution as the web\u2011server user. The flaw represents a classic code\u2011injection weakness (CWE\u201194) that can be leveraged to compromise the entire application and the underlying operating system.", "risk_and_exploitability": "The CVSS score of 9.2 signals a high severity flaw with full compromise potential. The EPSS score is not available, and the vulnerability is not listed in CISA\u2019s KEV catalog, so current exploitation evidence is lacking, but the attack path is straightforward: an unauthenticated user can send an HTTP POST to the installation endpoint with a crafted subdir value, injecting malicious PHP into env.php and achieving remote code execution as the web\u2011server process. The likely attack vector is a simple HTTP request to a publicly accessible installation URL without authentication."}}}}, "created": "2026-04-20T16:30:06.098327+00:00", "updated": "2026-04-20T16:30:06.278442+00:00", "vendors": ["givanz", "givanz$PRODUCT$vvveb"]}