Cyber Posture

CVE-2026-6257

CriticalPublic PoC

Published: 20 April 2026

Published
20 April 2026
Modified
06 May 2026
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0032 54.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Vvveb CMS prior to v1.0.8.2 contains a remote code execution vulnerability in its media management functionality where a missing return statement in the file rename handler allows authenticated attackers to rename files to blocked extensions .php or .htaccess. Attackers can…

more

exploit this logic flaw by first uploading a text file and renaming it to .htaccess to inject Apache directives that register PHP-executable MIME types, then uploading another file and renaming it to .php to execute arbitrary operating system commands as the www-data user.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Requires validation of file names and extensions during media upload and rename operations to block dangerous types like .php and .htaccess, directly preventing the bypass exploit.

AC-3 Access Enforcement good match
prevent

Enforces access control policies in the file rename handler to prohibit renaming uploaded files to blocked executable extensions, addressing the missing return statement flaw.

SI-9 Information Input Restrictions partial match
prevent

Restricts input of prohibited file classes such as .php and .htaccess in media management, mitigating unauthorized file type acceptance even if validation partially fails.

Security SummaryAI

CVE-2026-6257 is a remote code execution vulnerability in Vvveb CMS version 1.0.8, specifically within its media management functionality. The flaw stems from a missing return statement in the file rename handler, which allows authenticated attackers to bypass restrictions and rename uploaded files to blocked extensions such as .php or .htaccess. It carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) and maps to CWE-434 (Unrestricted Upload of File with Dangerous Type).

Attackers require high privileges (PR:H) to exploit this over the network with low complexity and no user interaction. The scenario involves first uploading a text file and renaming it to .htaccess to inject Apache directives that register PHP-executable MIME types. Attackers can then upload a second file and rename it to .php, achieving arbitrary operating system command execution as the www-data user, with high impact on confidentiality, integrity, and availability due to the changed scope.

A fixing commit is available at https://github.com/givanz/Vvveb/commit/6fb8eaa998265e33e8802cbc220d8859dbc144f2. Further details on the vulnerability and mitigation are provided in the VulnCheck advisory at https://www.vulncheck.com/advisories/vvveb-cms-remote-code-execution-via-media-management.

Details

CWE(s)
CWE-434

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
attack.mitre.org →
Why these techniques?

The vulnerability in the public-facing Vvveb CMS media management allows authenticated high-privilege attackers to bypass file extension restrictions via rename, enabling web shell deployment (T1505.003) through exploitation of a public-facing application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References