CVE-2026-41928

MEDIUM

Vvveb < 1.0.8.2 Information Disclosure via Cron Controller

Title source: cna

Description

Vvveb before 1.0.8.2 contains an information disclosure vulnerability in the cron controller that allows unauthenticated attackers to retrieve the application's secret cron key. Attackers can access the cron controller without authentication and retrieve the exposed secret key from the response, enabling them to trigger scheduled task execution outside of the intended schedule.

References (2)

Core 2

Core References

Patch patch

https://github.com/givanz/Vvveb/commit/517bc09faf44136e72de391aacc8b90a706f7ae7

View Patch ZIP pw:eip

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/vvveb-information-disclosure-via-cron-controller

Scores

CVSS v3 5.3

EPSS 0.0042

EPSS Percentile 33.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-497

Status published

Products (1)

givanz/Vvveb < 1.0.8.2

Published May 07, 2026

Tracked Since May 08, 2026