CVE Catalog

CVE-2026-41933

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.25%

16th percentile - higher than 16% of all known CVEs

Summary

Vvveb before version 1.0.8.3 contains a directory listing information disclosure vulnerability that allows unauthenticated attackers to enumerate files and directories by accessing multiple paths lacking proper index directives in .htaccess files. Attackers can access directories such as admin asset paths, plugins, themes, and media folders to view filenames, file sizes, modification timestamps, and unrendered admin templates containing sensitive route maps.

Risk Assessment

The risk for the organization is the potential disclosure of sensitive information such as directory structure, filenames, and unrendered admin templates, which could facilitate further attacks including identification of vulnerable components or administrative routes.

Recommendation

It is recommended to immediately upgrade Vvveb to version 1.0.8.3 or later, which fixes this vulnerability. Additionally, configure the web server to disable directory listing for all application paths.

Original NVD description (English source)

Vvveb before 1.0.8.3 contains a directory listing information disclosure vulnerability that allows unauthenticated attackers to enumerate files and directories by accessing multiple paths lacking proper index directives in .htaccess files. Attackers can access directories such as admin asset paths, plugins, themes, and media folders to view filenames, file sizes, modification timestamps, and unrendered admin templates containing sensitive route maps.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS