CVE-2026-41935
Published: 14 May 2026
Summary
CVE-2026-41935 is a high-severity Generation of Error Message Containing Sensitive Information (CWE-209) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Detects error messages that leak sensitive information as evidence of disclosure.
Supports resumption at alternate site when uncontrolled recursion causes primary site failure or crash.
The control directly mitigates generation of error messages containing sensitive authentication details by requiring obscured feedback instead of verbose responses.
Misdirection allows generation of misleading error messages that withhold or falsify sensitive details.
Prevents uncontrolled recursion that exhausts stack or CPU resources.
Explicitly requires error messages to avoid including sensitive or exploitable details while still supporting corrective action.
Validation ensures error messages contain only expected, non-sensitive content and blocks leakage via verbose errors.
Fail-safe procedures can be defined to suppress or sanitize error output, reducing generation of messages that contain sensitive information.
NVD Description
Vvveb before 1.0.8.3 contains an uncontrolled recursion vulnerability in the admin controller dispatch cycle where Base::init() repeatedly invokes permission() on error handlers, causing infinite recursion until PHP memory limits are exhausted. Attackers can send sustained requests to forbidden admin URLs…
more
from a low-privilege account to exhaust PHP memory on all workers and cause denial of service to legitimate traffic.
Deeper analysisAI
Automated synthesis unavailable for this CVE.
Details
- CWE(s)