CVE-2026-41930

critical

Description

Vvveb before version 1.0.8.2 contains a hard-coded credentials vulnerability in its docker-compose-apache.yaml configuration that allows unauthenticated attackers to access the bundled phpMyAdmin container with pre-configured database credentials. Attackers can connect to the phpMyAdmin port to gain unrestricted read and write access to the entire Vvveb database, including administrator password hashes, customer personally identifiable information, and order data, enabling account takeover and data manipulation.

References

https://www.vulncheck.com/advisories/vvveb-hard-coded-credentials-information-disclosure-via-phpmyadmin

https://github.com/givanz/Vvveb/security/advisories/GHSA-g38h-mr9p-fjmf

https://github.com/givanz/Vvveb/releases/tag/1.0.8.2

https://github.com/givanz/Vvveb/commit/f85ca7c2bc389bda3cc2eca87b2514581a628c32

Details

Source: Mitre, NVD

Published: 2026-05-06

Updated: 2026-05-06

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

CVSS v4

Base Score: 9.2

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Severity: Critical

EPSS

EPSS: 0.00056