CVE-2026-41931

Vvveb < 1.0.8.2 Information Disclosure via Debug Exception Handler

CVSS 6.9 MEDIUMEPSS 0.2%CWE-1188 CWE-209

Vexday Risk Score

13Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 6.9EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Ciclo de vida

06 mai 2026Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

Vvveb before version 1.0.8.2 contains an information disclosure vulnerability that allows unauthenticated attackers to obtain sensitive server information by triggering unhandled exceptions in the password-reset module. Attackers can access the admin password-reset endpoint to trigger a fatal error caused by a missing namespace import, which exposes the absolute server file path, internal class namespaces, line numbers, and source code excerpts through the debug exception handler rendered to unauthenticated requests.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Produtos afetados

givanz · Vvveb

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://github.com/givanz/Vvveb/releases/tag/1.0.8.2 https://github.com/givanz/Vvveb/security/advisories/GHSA-xgvg-r47g-786r https://www.vulncheck.com/advisories/vvveb-information-disclosure-via-debug-exception-handler