Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-39918 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-39918 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-39918 is a code injection vulnerability in the Vvveb content management system, specifically in the installation endpoint's handling of the subdir POST parameter, affecting all versions prior to 1.0.8.1.

Technical Detail

The flaw exists because user-supplied input from the subdir POST parameter is written directly into the env.php configuration file during installation without sanitization or escaping. An attacker who can reach the installation endpoint can inject arbitrary PHP code into this configuration file, resulting in remote code execution (RCE) on the underlying server. Because the configuration file is subsequently included by the application, injected code executes in the context of the web server process, potentially granting full system access depending on server permissions.

Exploitation Status

No known exploit has been publicly documented or observed at this time. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. Despite the absence of confirmed exploitation, the critical CVSS score of 9.8 and the straightforward nature of the injection path make this a high-priority concern, as the attack surface is simple to understand and may attract rapid weaponization.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns or targeted sectors have been associated with this vulnerability as of April 27, 2026.

What To Do

Upgrade Vvveb to version 1.0.8.1 or later immediately. If upgrading is not immediately possible, restrict network access to the installation endpoint at the web server or firewall level, ensuring it is not reachable from untrusted networks. If the installation process has already been completed, verify the integrity of the env.php file for any unexpected or injected PHP code. Monitor web server logs for unusual POST requests targeting the installation endpoint as a detection signal. Given the critical severity rating, patching should be treated as urgent and completed within 24 to 48 hours of operational feasibility.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →