CVE-2026-41928

Sažetak

Vvveb before 1.0.8.2 contains an information disclosure vulnerability in the cron controller that allows unauthenticated attackers to retrieve the application's secret cron key. Attackers can access the cron controller without authentication and retrieve the exposed secret key from the response, enabling them to trigger scheduled task execution outside of the intended schedule.

Reference

https://github.com/givanz/Vvveb/commit/517bc09faf44136e72de391aacc8b90a706f7ae7
https://www.vulncheck.com/advisories/vvveb-information-disclosure-via-cron-controller

CVSS

Base:	5.3
Impact:	1.4
Exploitability:	3.9

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
LOW	NONE	NONE

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Zadnje važnije ažuriranje

08-05-2026 - 15:47

Objavljeno

07-05-2026 - 22:16