CVE-2026-41930 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: May 6, 2026
Vvveb - Hardcoded Credentials
Published: May 6, 2026Updated: May 6, 2026Remote Exploitable
Overview
Vvveb < 1.0.8.2 contains a hardcoded credentials vulnerability in docker-compose-apache.yaml configuration, letting unauthenticated attackers access phpMyAdmin with pre-configured credentials, enabling full database read/write access.
Severity & Score
Severity: Critical
CVSS Score: 9.8
Impact
Unauthenticated attackers can access and manipulate the entire database, including sensitive user data and administrator credentials, leading to account takeover and data tampering.
Mitigation
Update to version 1.0.8.2 or later.
References
- https://github.com/givanz/Vvveb/commit/f85ca7c2bc389bda3cc2eca87b2514581a628c32
- https://github.com/givanz/Vvveb/releases/tag/1.0.8.2
- https://github.com/givanz/Vvveb/security/advisories/GHSA-g38h-mr9p-fjmf
- https://www.vulncheck.com/advisories/vvveb-hard-coded-credentials-information-disclosure-via-phpmyadmin
Related Resources
Details
- CVE ID
- CVE-2026-41930
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- hardcoded_credentials
- Status
- rejected
CWE
- CWE-306
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H