CVE-2026-41931
MEDIUMVvveb < 1.0.8.2 Information Disclosure via Debug Exception Handler
Title source: cnaDescription
Vvveb before version 1.0.8.2 contains an information disclosure vulnerability that allows unauthenticated attackers to obtain sensitive server information by triggering unhandled exceptions in the password-reset module. Attackers can access the admin password-reset endpoint to trigger a fatal error caused by a missing namespace import, which exposes the absolute server file path, internal class namespaces, line numbers, and source code excerpts through the debug exception handler rendered to unauthenticated requests.
References (3)
Core 3
Core References
Release Notes release-notes
https://github.com/givanz/Vvveb/releases/tag/1.0.8.2
Vendor Advisory vendor-advisory
https://github.com/givanz/Vvveb/security/advisories/GHSA-xgvg-r47g-786r
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/vvveb-information-disclosure-via-debug-exception-handler
Scores
CVSS v3
5.3
EPSS
0.0025
EPSS Percentile
15.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-1188
CWE-209
Status
published
Products (1)
givanz/Vvveb
< 1.0.8.2
Published
May 06, 2026
Tracked Since
May 07, 2026