CVE-2026-41930
CRITICALVvveb < 1.0.8.2 Hard-coded Credentials Information Disclosure via phpMyAdmin
Title source: cnaDescription
Vvveb before version 1.0.8.2 contains a hard-coded credentials vulnerability in its docker-compose-apache.yaml configuration that allows unauthenticated attackers to access the bundled phpMyAdmin container with pre-configured database credentials. Attackers can connect to the phpMyAdmin port to gain unrestricted read and write access to the entire Vvveb database, including administrator password hashes, customer personally identifiable information, and order data, enabling account takeover and data manipulation.
References (4)
Core 4
Core References
Release Notes release-notes
https://github.com/givanz/Vvveb/releases/tag/1.0.8.2
Vendor Advisory vendor-advisory
https://github.com/givanz/Vvveb/security/advisories/GHSA-g38h-mr9p-fjmf
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/vvveb-hard-coded-credentials-information-disclosure-via-phpmyadmin
Scores
CVSS v3
9.8
EPSS
0.0035
EPSS Percentile
26.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-306
Status
published
Products (1)
givanz/Vvveb
< 1.0.8.2
Published
May 06, 2026
Tracked Since
May 07, 2026