CVE-2026-39918
Published: 20 April 2026
Summary
CVE-2026-39918 is a critical-severity Code Injection (CWE-94) vulnerability. Its CVSS base score is 9.2 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-39918 is a code injection vulnerability (CWE-94) affecting Vvveb versions prior to 1.0.8.1. The flaw exists in the installation endpoint, where the subdir POST parameter is written unsanitized into the env.php configuration file without proper escaping or validation. This allows attackers to inject arbitrary PHP code by breaking out of the string context within the define statement. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for widespread remote exploitation.
Any unauthenticated remote attacker can exploit this vulnerability by sending a crafted POST request to the installation endpoint with a malicious subdir parameter. Successful exploitation leads to arbitrary PHP code execution on the server as the web server user, potentially enabling full server compromise, data theft, persistence, or lateral movement within the environment.
Mitigation is available through upgrading to Vvveb version 1.0.8.1 or later, as detailed in the project's GitHub release notes. The specific fix is implemented in commit 5162c1639130bd080ab63c7d856788cd59d6b3b7, which addresses the unsanitized parameter handling. Additional details on the vulnerability and remediation are provided in the VulnCheck advisory.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-23868
Vulnerability details
Vvveb prior to 1.0.8.1 contains a code injection vulnerability in the installation endpoint where the subdir POST parameter is written unsanitized into the env.php configuration file without escaping or validation. Attackers can inject arbitrary PHP code by breaking out of…
more
the string context in the define statement to achieve unauthenticated remote code execution as the web server user.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated remote code execution via a public-facing web application's installation endpoint, directly mapping to exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the unsanitized subdir POST parameter to block code injection into the env.php configuration file.
Mandates timely identification, reporting, and patching of the code injection flaw addressed in Vvveb 1.0.8.1.
Provides vulnerability scanning to detect the presence of CVE-2026-39918 in Vvveb installations prior to 1.0.8.1.