CVE-2026-41933
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk16th percentile - higher than 16% of all known CVEs
Summary
Vvveb before version 1.0.8.3 contains a directory listing information disclosure vulnerability that allows unauthenticated attackers to enumerate files and directories by accessing multiple paths lacking proper index directives in .htaccess files. Attackers can access directories such as admin asset paths, plugins, themes, and media folders to view filenames, file sizes, modification timestamps, and unrendered admin templates containing sensitive route maps.
Risk Assessment
The risk for the organization is the potential disclosure of sensitive information such as directory structure, filenames, and unrendered admin templates, which could facilitate further attacks including identification of vulnerable components or administrative routes.
Recommendation
It is recommended to immediately upgrade Vvveb to version 1.0.8.3 or later, which fixes this vulnerability. Additionally, configure the web server to disable directory listing for all application paths.
Original NVD description (English source)
Vvveb before 1.0.8.3 contains a directory listing information disclosure vulnerability that allows unauthenticated attackers to enumerate files and directories by accessing multiple paths lacking proper index directives in .htaccess files. Attackers can access directories such as admin asset paths, plugins, themes, and media folders to view filenames, file sizes, modification timestamps, and unrendered admin templates containing sensitive route maps.

