Unauthenticated RCE in Vvveb Installer: Critical Flaw Exposes Web Servers

/CRITICAL /CVSS 9.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severityremote-code-executioncwe-94
Unauthenticated RCE in Vvveb Installer: Critical Flaw Exposes Web Servers

The National Vulnerability Database has identified CVE-2026-39918, a critical code injection vulnerability in Vvveb versions prior to 1.0.8.1. The installation endpoint’s subdir POST parameter is written directly into the env.php configuration file without proper sanitization or validation. This oversight allows unauthenticated attackers to break out of the string context and inject arbitrary PHP code, leading to remote code execution as the web server user.

This vulnerability, rated CVSS 9.8, presents a severe risk to any organization running an affected Vvveb installation. The ease of exploitation—requiring no authentication and a straightforward POST request—makes it a prime target for automated attacks. Defenders must prioritize patching or mitigating this flaw immediately to prevent system compromise.

What This Means For You

  • If your organization uses Vvveb, check your installed version immediately. Any instance running 1.0.8.1 or earlier is vulnerable. Patch to the latest version or, if patching isn't immediately feasible, implement strict input validation on the `subdir` parameter at the web application firewall (WAF) level and monitor for suspicious outbound connections from your web server.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.004 Command and Scripting Interpreter: PHP Execution

🛡️ Detection Rules

1 rule · 6 SIEM formats

1 detection rule mapped to MITRE ATT&CK. Sigma YAML is free — copy below.

critical T1190 Initial Access

CVE-2026-39918: Unauthenticated RCE via Vvveb Installer subdir Parameter

Sigma YAML — free preview

Indicators of Compromise

IDTypeIndicator
CVE-2026-39918 Vulnerability CVE-2026-39918

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 20, 2026 at 19:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related Posts

CVE-2026-6662: Open CORS Policy in copilot-api Exposes Token Endpoint

CVE-2026-6662 — A vulnerability was found in ericc-ch copilot-api up to 0.7.0. The impacted element is the function cors of the file src/server.ts of the...

vulnerabilityCVEhigh-severitycwe-346cwe-942
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 3 IOCs /⚙ 2 Sigma

KissFFT Integer Overflow: Heap Corruption Risk in Signal Processing

CVE-2026-41445 — KissFFT before commit 8a8e66e contains an integer overflow vulnerability in the kiss_fftndr_alloc() function in kiss_fftndr.c where the allocation size calculation dimOther*(dimReal+2)*sizeof(kiss_fft_scalar) overflows signed 32-bit...

vulnerabilityCVEhigh-severitybuffer-overflowcwe-122cwe-190
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 4 IOCs /⚙ 3 Sigma

CVE-2026-35154 — IDRAC. A High Privileged Attacker With Local Access Vulnerability

CVE-2026-35154 — Dell PowerProtect Data Domain appliances, versions 7.7.1.0 through 8.7.0.0, LTS2025 release versions 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an...

vulnerabilityCVEmedium-severitycwe-269
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 2 IOCs /⚙ 2 Sigma