Primary

Context

Vvveb CMS Remote Code Execution Vulnerability via Unrestricted .phtml File Upload

Vulnerability

A remote code execution vulnerability has been identified in Vvveb CMS version 1.0.8. This issue arises in the media upload handler, where authenticated attackers can upload PHP web shells with a .phtml extension, bypassing the extension deny-list. The uploaded files are placed in a publicly accessible media directory. Once the malicious file is uploaded, it can be accessed over HTTP, allowing the attacker to execute arbitrary operating system commands and potentially compromise the entire server.

Impact

Exploitation of this vulnerability leads to full server compromise, allowing attackers to execute arbitrary operating system commands with the same privileges as the web server user.

Remediation

Users can update to Vvveb CMS version 1.0.8.1, which addresses this vulnerability by adding .phtml to the extension deny-list for media uploads.

Added: Apr 20, 2026, 8:21 PM

Updated: Apr 20, 2026, 8:21 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

5.9

remediation

0.0

relevance

6.3

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

5.9

remediation

0.0

relevance

6.3

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vvveb CMS Remote Code Execution Vulnerability via Unrestricted .phtml File Upload

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating