Vvveb Prior to 1.0.8.3 Vulnerable to DoS via Uncontrolled Recursion

/HIGH /CVSS 7.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitydenial-of-servicecwe-209cwe-674
Vvveb Prior to 1.0.8.3 Vulnerable to DoS via Uncontrolled Recursion

The National Vulnerability Database reports a critical uncontrolled recursion vulnerability, CVE-2026-41935, affecting Vvveb versions prior to 1.0.8.3. This flaw resides in the admin controller dispatch cycle, where the Base::init() function repeatedly calls permission() on error handlers. This creates an infinite recursion loop, rapidly exhausting PHP memory limits.

Attackers can exploit this with minimal effort. By sending sustained requests to forbidden administrative URLs from a low-privilege account, they can trigger this recursion. The result is a complete denial of service (DoS) for all legitimate traffic, as all PHP workers become incapacitated. The National Vulnerability Database assigns this a CVSS score of 7.1 (High severity), emphasizing the significant impact on availability.

This isn’t just a crash; it’s a resource exhaustion attack that any authenticated, low-privilege user can execute. Defenders need to understand that this isn’t about data exfiltration, but about crippling operations. The attacker’s calculus is simple: maximum disruption with minimal access. Patches are the only solution here, as this is a fundamental architectural flaw in how error handling interacts with permissions.

What This Means For You

  • If your organization uses Vvveb, immediately verify your version. If it's prior to 1.0.8.3, patch to the latest version without delay. This vulnerability allows any low-privilege user to take down your entire Vvveb instance, halting critical administrative functions and user access.

Related ATT&CK Techniques

T1499 Service Stop Impact T1190 Exploit Public-Facing Application Initial Access

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1499 Impact

Vvveb Uncontrolled Recursion DoS Attempt - CVE-2026-41935

Sigma YAML — free preview 
title: Vvveb Uncontrolled Recursion DoS Attempt - CVE-2026-41935
id: scw-2026-05-14-ai-1
status: experimental
level: high
description: |
  Detects attempts to exploit CVE-2026-41935 by targeting specific admin URLs within Vvveb. The vulnerability lies in the Base::init() function's uncontrolled recursion when handling errors for forbidden admin URLs, leading to a denial of service by exhausting PHP memory. This rule looks for GET requests to '/admin/' paths that result in a 500 Internal Server Error, indicative of the application crashing due to the recursion.
author: SCW Feed Engine (AI-generated)
date: 2026-05-14
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-41935/
tags:
  - attack.impact
  - attack.t1499
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/admin/'
      cs-method:
          - 'GET'
      sc-status:
          - '500'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-41935 DoS Vvveb < 1.0.8.3
CVE-2026-41935 DoS Uncontrolled recursion in admin controller dispatch cycle
CVE-2026-41935 DoS Base::init() repeatedly invokes permission() on error handlers

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 14, 2026 at 18:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-42589: Gotenberg RCE via ExifTool Argument Injection

CVE-2026-42589 — Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg's /forms/pdfengines/metadata/write HTTP endpoint accepts a JSON metadata object and passes...

vulnerabilityCVEcriticalhigh-severitycwe-78
/SCW Vulnerability Desk /CRITICAL /9.8 /⚑ 4 IOCs

CVE-2026-42283: DevSpace UI WebSocket Exposes Developer Endpoints

CVE-2026-42283 — DevSpace is a client-only developer tool for cloud-native development with Kubernetes. Prior to 6.3.21, DevSpace's UI server WebSocket accepts connections from all origins...

vulnerabilityCVEhigh-severitycwe-200cwe-306
/SCW Vulnerability Desk /HIGH /7.7 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-40893: Gotenberg Allows Arbitrary File Manipulation

CVE-2026-40893 — Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg only checks if the tag is exactly FileName, so System:FileName...

vulnerabilityCVEhigh-severityarbitrary-file-accesscwe-73cwe-184
/SCW Vulnerability Desk /HIGH /8.2 /⚑ 3 IOCs /⚙ 3 Sigma