Critical Vulnerability Information Vulnerability Overview Software Type: Web App Software Name: Vvweb Affected Version: 1.0.5 Software Vendor: Vvweb Software Link: https://github.com/givanz/Vvweb Severity: Low CVSS Score: 3.5 CVE Link: TBA Affected Assets: 163+ Discovery Date: January 3, 2025 PoC Exploit: N/A Description A file inclusion vulnerability exists in the endpoint of Vvweb version 1.0.5. This vulnerability allows reading of legacy Vvweb files previously used by older versions. The current severity is low, as sensitive files cannot be accessed. Reproduction Steps 1. Log in as an editor or a user with the "Edit Website" function. 2. Open the following endpoint: - 3. Change the path to: - 4. This will allow access to files located at the following server path: - By searching for keywords found in , you can identify directories containing the following files: PoC Proof-of-Concept Video A proof-of-concept video demonstrating the vulnerability reproduction is provided at the bottom of the page.