Cyber Posture

CVE-2026-6249

HighPublic PoC

Published: 20 April 2026

Published
20 April 2026
Modified
06 May 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0011 28.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Vvveb CMS 1.0.8.2 contains a remote code execution vulnerability in its media upload handler that allows authenticated attackers to execute arbitrary operating system commands by uploading a PHP webshell with a .phtml extension. Attackers can bypass the extension deny-list and…

more

upload malicious files to the publicly accessible media directory, then request the file over HTTP to achieve full server compromise.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Validates media upload inputs for file content and type beyond extensions to block PHP webshells, directly countering the unrestricted upload and deny-list bypass vulnerability.

SI-3 Malicious Code Protection good match
prevent

Scans uploaded files for malicious code like PHP webshells prior to storage in the publicly accessible media directory, preventing RCE execution.

SI-2 Flaw Remediation good match
prevent

Remediates the specific flaw in the Vvveb CMS media upload handler by applying the published patch, eliminating the RCE vulnerability.

Security SummaryAI

Vvveb CMS version 1.0.8 is affected by CVE-2026-6249, a remote code execution vulnerability in its media upload handler. The flaw allows attackers to bypass the extension deny-list and upload malicious PHP webshell files with a .phtml extension to the publicly accessible media directory. Published on 2026-04-20, the vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type).

Authenticated attackers with low privileges can exploit this vulnerability remotely with minimal complexity and no user interaction required. By uploading a crafted PHP webshell to the media directory, attackers can then trigger it via an HTTP request, executing arbitrary operating system commands and achieving full server compromise, including high impacts on confidentiality, integrity, and availability.

Mitigation details are available in the referenced advisories and patch. A fixing commit (23ac0e8c758d80f3c4d9224763c8b2359648270e) has been published on the Vvveb GitHub repository, and further analysis is provided in the VulnCheck advisory at https://www.vulncheck.com/advisories/vvveb-cms-remote-code-execution-via-media-upload.

Details

CWE(s)
CWE-434

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
attack.mitre.org →
Why these techniques?

The vulnerability allows exploitation of a public-facing web application (T1190) to upload and execute a PHP webshell (T1100), enabling remote code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References