CVE-2026-6249
Published: 20 April 2026
Summary
CVE-2026-6249 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Vvveb CMS version 1.0.8 is affected by CVE-2026-6249, a remote code execution vulnerability in its media upload handler. The flaw allows attackers to bypass the extension deny-list and upload malicious PHP webshell files with a .phtml extension to the publicly accessible media directory. Published on 2026-04-20, the vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type).
Authenticated attackers with low privileges can exploit this vulnerability remotely with minimal complexity and no user interaction required. By uploading a crafted PHP webshell to the media directory, attackers can then trigger it via an HTTP request, executing arbitrary operating system commands and achieving full server compromise, including high impacts on confidentiality, integrity, and availability.
Mitigation details are available in the referenced advisories and patch. A fixing commit (23ac0e8c758d80f3c4d9224763c8b2359648270e) has been published on the Vvveb GitHub repository, and further analysis is provided in the VulnCheck advisory at https://www.vulncheck.com/advisories/vvveb-cms-remote-code-execution-via-media-upload.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-23948
Vulnerability details
Vvveb CMS 1.0.8.2 contains a remote code execution vulnerability in its media upload handler that allows authenticated attackers to execute arbitrary operating system commands by uploading a PHP webshell with a .phtml extension. Attackers can bypass the extension deny-list and…
more
upload malicious files to the publicly accessible media directory, then request the file over HTTP to achieve full server compromise.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows exploitation of a public-facing web application (T1190) to upload and execute a PHP webshell (T1100), enabling remote code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of file uploads to block dangerous types like .phtml webshells, directly addressing the unrestricted upload vulnerability.
Deploys malicious code protection at upload entry points to scan and eradicate PHP webshells before they reach the executable media directory.
Mandates timely remediation of the specific flaw in the media upload handler, patching the extension deny-list bypass.