CVE-2026-41928

MEDIUM CVSS 5.3 View on NVD ↗

Description

Vvveb before 1.0.8.2 contains an information disclosure vulnerability in the cron controller that allows unauthenticated attackers to retrieve the application's secret cron key. Attackers can access the cron controller without authentication and retrieve the exposed secret key from the response, enabling them to trigger scheduled task execution outside of the intended schedule.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

https://github.com/givanz/Vvveb/commit/517bc09faf44136e72de391aacc8b90a706f7ae7
https://www.vulncheck.com/advisories/vvveb-information-disclosure-via-cron-controller

Published: May 07, 2026 22:16 UTC Modified: May 08, 2026 15:47 UTC