Cyber Resilience

CVE-2026-6249

HighPublic PoC

Published: 20 April 2026

Published
20 April 2026
Modified
06 May 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0062 45.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-6249 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Vvveb CMS version 1.0.8 is affected by CVE-2026-6249, a remote code execution vulnerability in its media upload handler. The flaw allows attackers to bypass the extension deny-list and upload malicious PHP webshell files with a .phtml extension to the publicly accessible media directory. Published on 2026-04-20, the vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type).

Authenticated attackers with low privileges can exploit this vulnerability remotely with minimal complexity and no user interaction required. By uploading a crafted PHP webshell to the media directory, attackers can then trigger it via an HTTP request, executing arbitrary operating system commands and achieving full server compromise, including high impacts on confidentiality, integrity, and availability.

Mitigation details are available in the referenced advisories and patch. A fixing commit (23ac0e8c758d80f3c4d9224763c8b2359648270e) has been published on the Vvveb GitHub repository, and further analysis is provided in the VulnCheck advisory at https://www.vulncheck.com/advisories/vvveb-cms-remote-code-execution-via-media-upload.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Vvveb CMS 1.0.8.2 contains a remote code execution vulnerability in its media upload handler that allows authenticated attackers to execute arbitrary operating system commands by uploading a PHP webshell with a .phtml extension. Attackers can bypass the extension deny-list and…

more

upload malicious files to the publicly accessible media directory, then request the file over HTTP to achieve full server compromise.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

The vulnerability allows exploitation of a public-facing web application (T1190) to upload and execute a PHP webshell (T1100), enabling remote code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-22654Shared CWE-434
CVE-2025-11948Shared CWE-434
CVE-2025-67260Shared CWE-434
CVE-2025-28915Shared CWE-434
CVE-2023-53956Shared CWE-434
CVE-2025-6058Shared CWE-434
CVE-2021-47819Shared CWE-434
CVE-2025-7852Shared CWE-434
CVE-2026-4883Shared CWE-434
CVE-2019-25630Shared CWE-434

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of file uploads to block dangerous types like .phtml webshells, directly addressing the unrestricted upload vulnerability.

preventdetect

Deploys malicious code protection at upload entry points to scan and eradicate PHP webshells before they reach the executable media directory.

prevent

Mandates timely remediation of the specific flaw in the media upload handler, patching the extension deny-list bypass.

References