← back
CVE-2026-41930

Vvveb < 1.0.8.2 Hard-coded Credentials Information Disclosure via phpMyAdmin

CVSS 9.2 CRITICALEPSS 0.3%CWE-306
Vexday Risk Score
28Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 9.2EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch referenciado
Lifecycle
06 May 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Vvveb before version 1.0.8.2 contains a hard-coded credentials vulnerability in its docker-compose-apache.yaml configuration that allows unauthenticated attackers to access the bundled phpMyAdmin container with pre-configured database credentials. Attackers can connect to the phpMyAdmin port to gain unrestricted read and write access to the entire Vvveb database, including administrator password hashes, customer personally identifiable information, and order data, enabling account takeover and data manipulation.
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
givanz · Vvveb

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/givanz/Vvveb/commit/f85ca7c2bc389bda3cc2eca87b2514581a628c32https://github.com/givanz/Vvveb/releases/tag/1.0.8.2https://github.com/givanz/Vvveb/security/advisories/GHSA-g38h-mr9p-fjmfhttps://www.vulncheck.com/advisories/vvveb-hard-coded-credentials-information-disclosure-via-phpmyadmin