CVE-2026-41928

5.3 MEDIUM

Published: May 07, 2026 Modified: May 08, 2026

Description

Vvveb before 1.0.8.2 contains an information disclosure vulnerability in the cron controller that allows unauthenticated attackers to retrieve the application's secret cron key. Attackers can access the cron controller without authentication and retrieve the exposed secret key from the response, enabling them to trigger scheduled task execution outside of the intended schedule.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

https://github.com/givanz/Vvveb/commit/517bc09faf44136e72de391aacc8b90a706f7ae7

Source: disclosure@vulncheck.com

https://www.vulncheck.com/advisories/vvveb-information-disclosure-via-cron-controller

Source: disclosure@vulncheck.com

2 reference(s) from NVD

Quick Stats

CVSS v3 Score

5.3 / 10.0

EPSS (Exploit Probability)

0.4%

33th percentile

Exploitation Status

Not in CISA KEV

Weaknesses (CWE)

CWE-497

Related CVEs

CVE-2026-48777 N/A

CVE-2026-47750 7.8

CVE-2026-47747 7.8

CVE-2026-46448 5.4

CVE-2026-22313 9.1