Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2026-41935— Vvveb < 1.0.8.3 Uncontrolled Recursion Denial of Service

CVSS 7.1 · High EPSS 0.04% · P13

Affected Version Matrix 2

VendorProductVersion RangeStatus
givanzVvveb< 1.0.8.3affected
c766e84b479dcf1bd1f25a44e4b9c9fa450769c8unaffected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-41935

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Vvveb < 1.0.8.3 Uncontrolled Recursion Denial of Service
Source: NVD (National Vulnerability Database)
Vulnerability Description
Vvveb before 1.0.8.3 contains an uncontrolled recursion vulnerability in the admin controller dispatch cycle where Base::init() repeatedly invokes permission() on error handlers, causing infinite recursion until PHP memory limits are exhausted. Attackers can send sustained requests to forbidden admin URLs from a low-privilege account to exhaust PHP memory on all workers and cause denial of service to legitimate traffic.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
未经控制的递归
Source: NVD (National Vulnerability Database)
Vulnerability Title
Vvveb 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Vvveb是Givan个人开发者的一个强大且易于使用的CMS,用于构建网站、博客或电子商务商店。 Vvveb 1.0.8.3之前版本存在安全漏洞,该漏洞源于管理员控制器调度周期中Base::init()在错误处理程序上重复调用permission(),导致无限递归耗尽PHP内存限制,可能导致攻击者从低权限账户发送持续请求到禁止的管理URL,耗尽所有工作进程的PHP内存,导致拒绝服务。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
givanzVvveb 0 ~ 1.0.8.3 -

II. Public POCs for CVE-2026-41935

#POC DescriptionSource LinkShenlong Link
AI-Generated POCVerified env Premium
Real sandbox recording· Watch the recording below to confirm the POC actually triggers the vulnerability.
Sandbox build & launch
Qwen3.6-35B-A3B · 10496 chars
Paid plan includes:
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month

III. Intelligence Information for CVE-2026-41935

登录查看更多情报信息。

Patches & Fixes for CVE-2026-41935 (1)

Vendor Advisories for CVE-2026-41935 (1)

Other References for CVE-2026-41935 (1)

Same Patch Batch · givanz · 2026-05-14 · 4 CVEs total

CVE-2026-419377.2 HIGHVvveb < 1.0.8.3 Unrestricted File Upload RCE via Plugin Upload
CVE-2026-419326.1 MEDIUMVvveb < 1.0.8.3 Stored XSS via Signup Controller
CVE-2026-419335.3 MEDIUMVvveb < 1.0.8.3 Directory Listing Information Disclosure

IV. Related Vulnerabilities

Same product: Vvveb
Same vendor: givanz
Same weakness: CWE-674

V. Comments for CVE-2026-41935

No comments yet

Leave a comment