module
Remote Code Execution Vulnerability in Vvveb
| Disclosed | Created |
|---|---|
| Jan 10, 2025 | Oct 22, 2025 |
Disclosed
Jan 10, 2025
Created
Oct 22, 2025
Description
Vvveb CMS is vulnerable to code injection via the Code Editor functionality.
Unsanitized editing functionality allows attacker-controlled changes to existing files on the web-accessible filesystem,
allowing remote authenticated attackers with access to the Code Editor to achieve code execution
when those modified files are executed or served by the application or web server.
This vulnerability affects Vvveb CMS versions up to and including 1.0.5.
Successful exploitation may result in the remote code execution under the privileges
of the web server, potentially exposing sensitive data or disrupting survey operations.
An attacker can execute arbitrary system commands in the context of the user running the web server.
Unsanitized editing functionality allows attacker-controlled changes to existing files on the web-accessible filesystem,
allowing remote authenticated attackers with access to the Code Editor to achieve code execution
when those modified files are executed or served by the application or web server.
This vulnerability affects Vvveb CMS versions up to and including 1.0.5.
Successful exploitation may result in the remote code execution under the privileges
of the web server, potentially exposing sensitive data or disrupting survey operations.
An attacker can execute arbitrary system commands in the context of the user running the web server.
Authors
Maksim Rogov
Hamed Kohi
Hamed Kohi
Platform
PHP
Architectures
php
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.