CVE Catalog

CVE-2026-6257

Critical
Published: Translated: NVD NIST

Summary

Vvveb CMS version 1.0.8.2 contains a remote code execution vulnerability in its media management functionality. A missing return statement in the file rename handler allows authenticated attackers to rename files to blocked extensions .php or .htaccess.

Risk Assessment

Attackers can exploit this vulnerability to inject Apache directives, allowing them to execute arbitrary operating system commands as the www-data user. This poses a significant threat to the integrity and security of the system.

Recommendation

It is recommended to update Vvveb CMS to the latest version to eliminate this vulnerability. Additionally, implement proper access controls for file management and monitor system logs for unauthorized activities.

Original NVD description (English source)

Vvveb CMS v1.0.8.2 contains a remote code execution vulnerability in its media management functionality where a missing return statement in the file rename handler allows authenticated attackers to rename files to blocked extensions .php or .htaccess. Attackers can exploit this logic flaw by first uploading a text file and renaming it to .htaccess to inject Apache directives that register PHP-executable MIME types, then uploading another file and renaming it to .php to execute arbitrary operating system commands as the www-data user.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS