CVE-2026-41930

9.8 CRITICAL
Published: May 06, 2026 Modified: May 06, 2026
View on NVD

Description

Vvveb before version 1.0.8.2 contains a hard-coded credentials vulnerability in its docker-compose-apache.yaml configuration that allows unauthenticated attackers to access the bundled phpMyAdmin container with pre-configured database credentials. Attackers can connect to the phpMyAdmin port to gain unrestricted read and write access to the entire Vvveb database, including administrator password hashes, customer personally identifiable information, and order data, enabling account takeover and data manipulation.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/givanz/Vvveb/commit/f85ca7c2bc389bda3cc2eca87b2514581a628c32
Source: disclosure@vulncheck.com
https://github.com/givanz/Vvveb/releases/tag/1.0.8.2
Source: disclosure@vulncheck.com
https://github.com/givanz/Vvveb/security/advisories/GHSA-g38h-mr9p-fjmf
Source: disclosure@vulncheck.com
https://www.vulncheck.com/advisories/vvveb-hard-coded-credentials-information-disclosure-via-phpmyadmin
Source: disclosure@vulncheck.com
https://github.com/givanz/Vvveb/security/advisories/GHSA-g38h-mr9p-fjmf
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

5 reference(s) from NVD

Quick Stats

CVSS v3 Score
9.8 / 10.0
EPSS (Exploit Probability)
0.1%
29th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-306

Related CVEs

CVE-2026-6517 6.3
CVE-2026-5242 8.8
CVE-2026-5233 7.1
CVE-2026-5230 7.1
CVE-2026-5079 7.5