CVE-2026-41935— Vvveb < 1.0.8.3 Uncontrolled Recursion Denial of Service
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-41935
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Vvveb < 1.0.8.3 Uncontrolled Recursion Denial of Service
Source: NVD (National Vulnerability Database)
Vulnerability Description
Vvveb before 1.0.8.3 contains an uncontrolled recursion vulnerability in the admin controller dispatch cycle where Base::init() repeatedly invokes permission() on error handlers, causing infinite recursion until PHP memory limits are exhausted. Attackers can send sustained requests to forbidden admin URLs from a low-privilege account to exhaust PHP memory on all workers and cause denial of service to legitimate traffic.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
未经控制的递归
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-41935
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCVerified env Premium
Real sandbox recording· Watch the recording below to confirm the POC actually triggers the vulnerability.
Sandbox build & launch
Qwen3.6-35B-A3B · 10398 chars
Paid plan includes:
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month
III. Intelligence Information for CVE-2026-41935
请登录查看更多情报信息。
- https://github.com/givanz/Vvveb/releases/tag/1.0.8.3release-notes
- https://nvd.nist.gov/vuln/detail/CVE-2026-41935
Same Patch Batch · givanz · 2026-05-14 · 4 CVEs total
| CVE-2026-41937 | 7.2 HIGH | Vvveb < 1.0.8.3 Unrestricted File Upload RCE via Plugin Upload |
| CVE-2026-41932 | 6.1 MEDIUM | Vvveb < 1.0.8.3 Stored XSS via Signup Controller |
| CVE-2026-41933 | 5.3 MEDIUM | Vvveb < 1.0.8.3 Directory Listing Information Disclosure |
IV. Related Vulnerabilities
Same product: Vvveb
- CVE-2026-46408
Vvveb: checkout IDOR allows unauthorized reuse of another us - CVE-2026-46407
Vvveb: admin/auth-token IDOR allows unauthorized disclosure - CVE-2026-45800
Vvveb: Authenticated SQL injection in /user/orders via order - CVE-2026-45622
Vvveb: Unauthenticated reflected XSS in public product retur - CVE-2026-45616
Vvveb: Stored XSS in Posts allows privilege escalation via p
Same vendor: givanz
- CVE-2026-46408
Vvveb: checkout IDOR allows unauthorized reuse of another us - CVE-2026-46407
Vvveb: admin/auth-token IDOR allows unauthorized disclosure - CVE-2026-45800
Vvveb: Authenticated SQL injection in /user/orders via order - CVE-2026-45622
Vvveb: Unauthenticated reflected XSS in public product retur - CVE-2026-45616
Vvveb: Stored XSS in Posts allows privilege escalation via p
Same weakness: CWE-674
- CVE-2026-6811
PHP Stack Exhaustion - CVE-2026-6479
PostgreSQL SSL/GSS init causes denial of service, via uncont - CVE-2026-45205
Apache Commons Configuration: StackOverflowError for YAML in - CVE-2026-45740
protobufjs: Denial of Service via unbounded recursive JSON d - CVE-2026-44289
protobufjs: Denial of service through unbounded protobuf rec
V. Comments for CVE-2026-41935
No comments yet