Cyber Posture

CVE-2026-39918

CriticalPublic PoC

Published: 20 April 2026

Published
20 April 2026
Modified
20 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0029 52.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Vvveb prior to 1.0.8.1 contains a code injection vulnerability in the installation endpoint where the subdir POST parameter is written unsanitized into the env.php configuration file without escaping or validation. Attackers can inject arbitrary PHP code by breaking out of…

more

the string context in the define statement to achieve unauthenticated remote code execution as the web server user.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly requires validation and sanitization of the unsanitized subdir POST parameter to block code injection into the env.php configuration file.

SI-2 Flaw Remediation good match
prevent

Mandates timely identification, reporting, and patching of the code injection flaw addressed in Vvveb 1.0.8.1.

RA-5 Vulnerability Monitoring and Scanning partial match
detect

Provides vulnerability scanning to detect the presence of CVE-2026-39918 in Vvveb installations prior to 1.0.8.1.

Security SummaryAI

CVE-2026-39918 is a code injection vulnerability (CWE-94) affecting Vvveb versions prior to 1.0.8.1. The flaw exists in the installation endpoint, where the subdir POST parameter is written unsanitized into the env.php configuration file without proper escaping or validation. This allows attackers to inject arbitrary PHP code by breaking out of the string context within the define statement. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for widespread remote exploitation.

Any unauthenticated remote attacker can exploit this vulnerability by sending a crafted POST request to the installation endpoint with a malicious subdir parameter. Successful exploitation leads to arbitrary PHP code execution on the server as the web server user, potentially enabling full server compromise, data theft, persistence, or lateral movement within the environment.

Mitigation is available through upgrading to Vvveb version 1.0.8.1 or later, as detailed in the project's GitHub release notes. The specific fix is implemented in commit 5162c1639130bd080ab63c7d856788cd59d6b3b7, which addresses the unsanitized parameter handling. Additional details on the vulnerability and remediation are provided in the VulnCheck advisory.

Details

CWE(s)
CWE-94

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability allows unauthenticated remote code execution via a public-facing web application's installation endpoint, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References