CVE-2026-39918: Vvveb CMS Unauthenticated PHP Code Injection via Install Endpoint

Executive Summary

CVE-2026-39918 is a critical code injection vulnerability in Vvveb, an open-source PHP website builder and CMS. The installation endpoint accepts a subdir POST parameter that is written directly into the env.php configuration file without sanitization or validation. An unauthenticated attacker can exploit this to inject arbitrary PHP code, achieving remote code execution (RCE) on the underlying server.

CVSS Score: 9.8 (Critical) Fixed in: Vvveb v1.0.8.1

Vulnerability Overview

Root Cause

The Vvveb installation process writes configuration values supplied by the user directly into env.php. The subdir parameter is embedded inside a PHP string literal with no escaping or validation. Because the value is written verbatim into executable PHP code, an attacker who can break out of the string context can inject and execute arbitrary PHP statements.

The core issue follows a well-understood code injection pattern: user-supplied input is concatenated into executable code without sanitization. Once env.php is included by the application on subsequent requests, any injected PHP code executes in the context of the web server.

Attack Chain

1. Attacker identifies accessible Vvveb installation endpoint
2. Sends POST request with PHP payload injected into subdir parameter
3. Server writes payload unsanitized into env.php configuration file
4. Attacker triggers code execution via a follow-up HTTP request
5. Arbitrary OS commands execute as the web server process user
6. Full server compromise achieved — unauthenticated

Exploitation Requirements

Access to the Vvveb installation endpoint (/install or equivalent)
No authentication required
Works on any Vvveb version prior to 1.0.8.1

Technical Details

Affected Endpoint

The vulnerable endpoint handles initial site setup. Many deployments leave this endpoint accessible after installation, which is required for exploitation. Default Vvveb deployments may not restrict post-install access to this endpoint.

Impact of Successful Exploitation

Capability	Detail
OS command execution	Arbitrary commands as web server user
File read/write	Full filesystem access
Webshell deployment	Persistent backdoor via additional file writes
Database access	Read DB credentials from config files
Lateral movement	Pivot to internal network from web server

Affected Versions

Version	Status
All versions prior to 1.0.8.1	Vulnerable
v1.0.8.1 and later	Patched

Remediation

Step 1: Upgrade Immediately

Update to Vvveb v1.0.8.1 which sanitizes the subdir parameter before writing to env.php.

# Via Git
git pull origin main
git checkout v1.0.8.1
 
# Verify env.php after upgrade — check for unexpected PHP code
grep -n "system\|passthru\|shell_exec\|base64_decode" env.php

Step 2: Block the Install Endpoint

Restrict access to the installation endpoint at the web server level after initial setup:

# Nginx — block install endpoint after setup
location ~ ^/install {
    deny all;
    return 403;
}

# Apache .htaccess
<Location /install>
    Require ip 192.168.1.0/24
    Require all denied
</Location>

Step 3: Audit env.php

Inspect your env.php for signs of prior exploitation:

# Look for injected code patterns (unexpected PHP functions)
grep -n "system\|passthru\|shell_exec\|base64_decode" env.php
 
# Compare file modification time against known-good deployment date
ls -la env.php
 
# Verify file hash
sha256sum env.php

Detection

Indicators of Exploitation

Unexpected PHP functions in env.php beyond expected configuration constants
POST requests to /install from external IP addresses after the initial setup date
New PHP files created in the web root after deployment
Web server process spawning unexpected child processes

Log Monitoring (Nginx/Apache)

# Look for POST requests to install endpoint from external IPs
grep 'POST /install' /var/log/nginx/access.log | grep -v "your-admin-ip"
 
# Look for unusual query parameters on recently accessed PHP files
grep '\?cmd=' /var/log/nginx/access.log
grep '\?c=' /var/log/nginx/access.log

SIEM Query (Splunk)

index=web sourcetype=access_combined
| where match(uri_path, "install") AND http_method="POST"
| stats count by src_ip, dest_host, uri_path
| where count > 1

References

Executive Summary

CVSS Score: 9.8 (Critical) Fixed in: Vvveb v1.0.8.1

Vulnerability Overview

Root Cause

Attack Chain

1. Attacker identifies accessible Vvveb installation endpoint
2. Sends POST request with PHP payload injected into subdir parameter
3. Server writes payload unsanitized into env.php configuration file
4. Attacker triggers code execution via a follow-up HTTP request
5. Arbitrary OS commands execute as the web server process user
6. Full server compromise achieved — unauthenticated

Exploitation Requirements

Access to the Vvveb installation endpoint (/install or equivalent)
No authentication required
Works on any Vvveb version prior to 1.0.8.1

Technical Details

Affected Endpoint

Impact of Successful Exploitation

Capability	Detail
OS command execution	Arbitrary commands as web server user
File read/write	Full filesystem access
Webshell deployment	Persistent backdoor via additional file writes
Database access	Read DB credentials from config files
Lateral movement	Pivot to internal network from web server

Affected Versions

Version	Status
All versions prior to 1.0.8.1	Vulnerable
v1.0.8.1 and later	Patched

Remediation

Step 1: Upgrade Immediately

Update to Vvveb v1.0.8.1 which sanitizes the subdir parameter before writing to env.php.

# Via Git
git pull origin main
git checkout v1.0.8.1
 
# Verify env.php after upgrade — check for unexpected PHP code
grep -n "system\|passthru\|shell_exec\|base64_decode" env.php

Step 2: Block the Install Endpoint

Restrict access to the installation endpoint at the web server level after initial setup:

# Nginx — block install endpoint after setup
location ~ ^/install {
    deny all;
    return 403;
}

# Apache .htaccess
<Location /install>
    Require ip 192.168.1.0/24
    Require all denied
</Location>

Step 3: Audit env.php

Inspect your env.php for signs of prior exploitation:

# Look for injected code patterns (unexpected PHP functions)
grep -n "system\|passthru\|shell_exec\|base64_decode" env.php
 
# Compare file modification time against known-good deployment date
ls -la env.php
 
# Verify file hash
sha256sum env.php

Detection

Indicators of Exploitation

Unexpected PHP functions in env.php beyond expected configuration constants
POST requests to /install from external IP addresses after the initial setup date
New PHP files created in the web root after deployment
Web server process spawning unexpected child processes

Log Monitoring (Nginx/Apache)

# Look for POST requests to install endpoint from external IPs
grep 'POST /install' /var/log/nginx/access.log | grep -v "your-admin-ip"
 
# Look for unusual query parameters on recently accessed PHP files
grep '\?cmd=' /var/log/nginx/access.log
grep '\?c=' /var/log/nginx/access.log

SIEM Query (Splunk)

index=web sourcetype=access_combined
| where match(uri_path, "install") AND http_method="POST"
| stats count by src_ip, dest_host, uri_path
| where count > 1

Affected Products

Executive Summary

Vulnerability Overview

Root Cause

Attack Chain

Exploitation Requirements

Technical Details

Affected Endpoint

Impact of Successful Exploitation

Affected Versions

Remediation

Step 1: Upgrade Immediately

Step 2: Block the Install Endpoint

Step 3: Audit env.php

Detection

Indicators of Exploitation

Log Monitoring (Nginx/Apache)

SIEM Query (Splunk)

References

Related Reading

Affected Products

Executive Summary

Vulnerability Overview

Root Cause

Attack Chain

Exploitation Requirements

Technical Details

Affected Endpoint

Impact of Successful Exploitation

Affected Versions

Remediation

Step 1: Upgrade Immediately

Step 2: Block the Install Endpoint

Step 3: Audit env.php

Detection

Indicators of Exploitation

Log Monitoring (Nginx/Apache)

SIEM Query (Splunk)

References

Related Reading