Home / Vulnerability Intelligence / CVE-2026-6249

CVE-2026-6249 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: April 21, 2026

Vvveb CMS - Remote Code Execution

Published: April 20, 2026Updated: April 21, 2026Remote Exploitable

Overview

Vvveb CMS 1.0.8 contains a remote code execution caused by bypassing extension deny-list in media upload handler, letting authenticated attackers execute arbitrary OS commands via uploaded PHP webshell.

Severity & Score

Severity: High

CVSS Score: 8.8

EPSS Score: 9.6%(Probability of exploitation in next 30 days)

Impact

Authenticated attackers can execute arbitrary OS commands, leading to full server compromise.

Mitigation

Update to the latest version of Vvveb CMS.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Apr 20, 2026

🟠 CVE-2026-6249 - High (8.8) Vvveb CMS 1.0.8 contains a remote code execution vulnerability in its media upload handler that allows authenticated attackers to execute arbitrary operating system commands by uploading a PHP webshell with a .phtml extension. Attackers can bypass... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-6249/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-6249
Severity: High
CVSS Score: 8.8
Type: command_injection
Status: rejected
EPSS: 9.6%
Social Posts: 1

CWE

CWE-434

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

9.6%Probability of exploitation in the next 30 days