LeakyCreds
NewInstant webhook alerts now available ā€” notified within seconds of any credential detection.Learn more ā†’
Home / Vulnerability Intelligence / CVE-2026-39918

CVE-2026-39918 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: April 20, 2026

Vvveb - Remote Code Execution

Published: April 20, 2026Updated: April 20, 2026Remote Exploitable

Overview

Vvveb < 1.0.8.1 contains a code injection vulnerability caused by unsanitized subdir POST parameter in the installation endpoint, letting unauthenticated attackers execute arbitrary PHP code remotely as the web server user.

Severity & Score

Severity: Critical
CVSS Score: 9.8
EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can execute arbitrary PHP code remotely, potentially leading to full server compromise.

Mitigation

Update to version 1.0.8.1 or later.

References

Social Media Activity(4 posts)

TheHackerWire
TheHackerWire
@thehackerwire
Apr 20, 2026

šŸ”“ CVE-2026-39918 - Critical (9.8) Vvveb prior to 1.0.8.1 contains a code injection vulnerability in the installation endpoint where the subdir POST parameter is written unsanitized into the env.php configuration file without escaping or validation. Attackers can inject arbitrary ... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-39918/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Apr 20, 2026

šŸ”“ CVE-2026-39918 - Critical (9.8) Vvveb prior to 1.0.8.1 contains a code injection vulnerability in the installation endpoint where the subdir POST parameter is written unsanitized into the env.php configuration file without escaping or validation. Attackers can inject arbitrary ... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-39918/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Apr 20, 2026

šŸ”“ CVE-2026-39918 - Critical (9.8) Vvveb prior to 1.0.8.1 contains a code injection vulnerability in the installation endpoint where the subdir POST parameter is written unsanitized into the env.php configuration file without escaping or validation. Attackers can inject arbitrary ... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-39918/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Apr 20, 2026

šŸ”“ CVE-2026-39918 - Critical (9.8) Vvveb prior to 1.0.8.1 contains a code injection vulnerability in the installation endpoint where the subdir POST parameter is written unsanitized into the env.php configuration file without escaping or validation. Attackers can inject arbitrary ... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-39918/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID
CVE-2026-39918
Severity
Critical
CVSS Score
9.8
Type
command_injection
Status
rejected
EPSS
0.0%
Social Posts
4

CWE

  • CWE-94

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

0.0%Probability of exploitation in the next 30 days