Search criteria
39 vulnerabilities by givanz
CVE-2026-46408 (GCVE-0-2026-46408)
Vulnerability from cvelistv5 – Published: 2026-05-15 18:46 – Updated: 2026-05-15 19:53
VLAI
Title
Vvveb: checkout IDOR allows unauthorized reuse of another user's cart
Summary
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the checkout endpoint accepts a user-controlled cart_id and uses it to enter the payment flow without verifying cart ownership. A logged-in attacker can therefore reuse another user's cart data in their own checkout session. This vulnerability is fixed in 1.0.8.3.
Severity
7.6 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/givanz/Vvveb/security/advisori… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-46408",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-15T19:52:41.934191Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T19:53:13.706Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/givanz/Vvveb/security/advisories/GHSA-rmh2-wv73-xpqh"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Vvveb",
"vendor": "givanz",
"versions": [
{
"status": "affected",
"version": "\u003c 1.0.8.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the checkout endpoint accepts a user-controlled cart_id and uses it to enter the payment flow without verifying cart ownership. A logged-in attacker can therefore reuse another user\u0027s cart data in their own checkout session. This vulnerability is fixed in 1.0.8.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T18:46:31.693Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/givanz/Vvveb/security/advisories/GHSA-rmh2-wv73-xpqh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/givanz/Vvveb/security/advisories/GHSA-rmh2-wv73-xpqh"
}
],
"source": {
"advisory": "GHSA-rmh2-wv73-xpqh",
"discovery": "UNKNOWN"
},
"title": "Vvveb: checkout IDOR allows unauthorized reuse of another user\u0027s cart"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-46408",
"datePublished": "2026-05-15T18:46:31.693Z",
"dateReserved": "2026-05-13T21:04:10.932Z",
"dateUpdated": "2026-05-15T19:53:13.706Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46407 (GCVE-0-2026-46407)
Vulnerability from cvelistv5 – Published: 2026-05-15 18:45 – Updated: 2026-05-18 16:08
VLAI
Title
Vvveb: admin/auth-token IDOR allows unauthorized disclosure of administrator REST API tokens
Summary
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the backend admin/auth-token endpoint allows an authenticated administrator to load another administrator's REST API token list by supplying that user's admin_id. This can disclose sensitive API tokens belonging to other administrators. This vulnerability is fixed in 1.0.8.3.
Severity
8.1 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/givanz/Vvveb/security/advisori… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-46407",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-18T16:08:20.825059Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T16:08:56.739Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Vvveb",
"vendor": "givanz",
"versions": [
{
"status": "affected",
"version": "\u003c 1.0.8.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the backend admin/auth-token endpoint allows an authenticated administrator to load another administrator\u0027s REST API token list by supplying that user\u0027s admin_id. This can disclose sensitive API tokens belonging to other administrators. This vulnerability is fixed in 1.0.8.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T18:45:43.129Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/givanz/Vvveb/security/advisories/GHSA-5g3g-x6mf-pwr6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/givanz/Vvveb/security/advisories/GHSA-5g3g-x6mf-pwr6"
}
],
"source": {
"advisory": "GHSA-5g3g-x6mf-pwr6",
"discovery": "UNKNOWN"
},
"title": "Vvveb: admin/auth-token IDOR allows unauthorized disclosure of administrator REST API tokens"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-46407",
"datePublished": "2026-05-15T18:45:43.129Z",
"dateReserved": "2026-05-13T21:04:10.932Z",
"dateUpdated": "2026-05-18T16:08:56.739Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45800 (GCVE-0-2026-45800)
Vulnerability from cvelistv5 – Published: 2026-05-15 18:44 – Updated: 2026-05-16 01:21
VLAI
Title
Vvveb: Authenticated SQL injection in /user/orders via order_by and direction
Summary
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, there is an authenticated SQL injection issue in the frontend user order history page in Vvveb CMS. A normal frontend user can log in and access /user/orders. The order_by and direction request parameters are accepted from the URL, propagated through the Orders component, and directly concatenated into the SQL ORDER BY clause in OrderSQL::getAll(). Because of this, attacker-controlled input reaches SQL structure without a whitelist or safe query construction step. This vulnerability is fixed in 1.0.8.3.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/givanz/Vvveb/security/advisori… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45800",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-16T01:20:32.130703Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-16T01:21:02.433Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/givanz/Vvveb/security/advisories/GHSA-vwcx-w4fq-9769"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Vvveb",
"vendor": "givanz",
"versions": [
{
"status": "affected",
"version": "\u003c 1.0.8.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, there is an authenticated SQL injection issue in the frontend user order history page in Vvveb CMS. A normal frontend user can log in and access /user/orders. The order_by and direction request parameters are accepted from the URL, propagated through the Orders component, and directly concatenated into the SQL ORDER BY clause in OrderSQL::getAll(). Because of this, attacker-controlled input reaches SQL structure without a whitelist or safe query construction step. This vulnerability is fixed in 1.0.8.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T18:44:38.901Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/givanz/Vvveb/security/advisories/GHSA-vwcx-w4fq-9769",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/givanz/Vvveb/security/advisories/GHSA-vwcx-w4fq-9769"
}
],
"source": {
"advisory": "GHSA-vwcx-w4fq-9769",
"discovery": "UNKNOWN"
},
"title": "Vvveb: Authenticated SQL injection in /user/orders via order_by and direction"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45800",
"datePublished": "2026-05-15T18:44:38.901Z",
"dateReserved": "2026-05-13T08:19:32.603Z",
"dateUpdated": "2026-05-16T01:21:02.433Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45622 (GCVE-0-2026-45622)
Vulnerability from cvelistv5 – Published: 2026-05-15 18:42 – Updated: 2026-05-15 22:21
VLAI
Title
Vvveb: Unauthenticated reflected XSS in public product return form via customer_order_id
Summary
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, there is an unauthenticated reflected cross-site scripting (XSS) issue in the public product return form in Vvveb CMS. The customer_order_id POST parameter is inserted into the Order %s not found! error message when the order lookup fails, and that message is rendered in the frontend template without HTML escaping. As a result, attacker-controlled HTML/JavaScript executes in the submitting user's browser. This vulnerability is fixed in 1.0.8.3.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/givanz/Vvveb/security/advisori… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45622",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-15T22:13:34.331975Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T22:21:56.168Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/givanz/Vvveb/security/advisories/GHSA-3xwm-8f6m-cfc6"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Vvveb",
"vendor": "givanz",
"versions": [
{
"status": "affected",
"version": "\u003c 1.0.8.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, there is an unauthenticated reflected cross-site scripting (XSS) issue in the public product return form in Vvveb CMS. The customer_order_id POST parameter is inserted into the Order %s not found! error message when the order lookup fails, and that message is rendered in the frontend template without HTML escaping. As a result, attacker-controlled HTML/JavaScript executes in the submitting user\u0027s browser. This vulnerability is fixed in 1.0.8.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T18:42:46.670Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/givanz/Vvveb/security/advisories/GHSA-3xwm-8f6m-cfc6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/givanz/Vvveb/security/advisories/GHSA-3xwm-8f6m-cfc6"
}
],
"source": {
"advisory": "GHSA-3xwm-8f6m-cfc6",
"discovery": "UNKNOWN"
},
"title": "Vvveb: Unauthenticated reflected XSS in public product return form via customer_order_id"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45622",
"datePublished": "2026-05-15T18:42:46.670Z",
"dateReserved": "2026-05-12T20:31:43.449Z",
"dateUpdated": "2026-05-15T22:21:56.168Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45616 (GCVE-0-2026-45616)
Vulnerability from cvelistv5 – Published: 2026-05-15 18:39 – Updated: 2026-05-15 20:19
VLAI
Title
Vvveb: Stored XSS in Posts allows privilege escalation via post editor
Summary
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, This vulnerability is fixed in 1.0.8.3.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/givanz/Vvveb/security/advisori… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45616",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-15T20:19:24.714027Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T20:19:44.577Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/givanz/Vvveb/security/advisories/GHSA-39gc-pjv5-4w4p"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Vvveb",
"vendor": "givanz",
"versions": [
{
"status": "affected",
"version": "\u003c 1.0.8.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, This vulnerability is fixed in 1.0.8.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T18:39:11.554Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/givanz/Vvveb/security/advisories/GHSA-39gc-pjv5-4w4p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/givanz/Vvveb/security/advisories/GHSA-39gc-pjv5-4w4p"
}
],
"source": {
"advisory": "GHSA-39gc-pjv5-4w4p",
"discovery": "UNKNOWN"
},
"title": "Vvveb: Stored XSS in Posts allows privilege escalation via post editor"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45616",
"datePublished": "2026-05-15T18:39:11.554Z",
"dateReserved": "2026-05-12T20:31:43.448Z",
"dateUpdated": "2026-05-15T20:19:44.577Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44826 (GCVE-0-2026-44826)
Vulnerability from cvelistv5 – Published: 2026-05-15 18:37 – Updated: 2026-05-15 21:11
VLAI
Title
Vvveb: Vvveb CMS — Negative-quantity cart manipulation allows creation of orders with negative grand totals
Summary
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.2, Vvveb CMS does not validate the sign of the quantity parameter on the cart-add endpoint. Submitting a negative integer is accepted by the server and treated as a normal positive line-item, but with the sign carried through into every downstream computation: line total, sub-total, taxes, and grand total all become negative numbers. The customer-facing cart UI then displays a negative grand total to the user, the checkout flow accepts the negative cart, and the resulting order is persisted in the merchant's database with a negative total column. From the merchant's order management dashboard, this surfaces as a real order with a negative total — an "the merchant owes the customer money" record that no legitimate workflow ever creates. This vulnerability is fixed in 1.0.8.2.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1284 - Improper Validation of Specified Quantity in Input
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/givanz/Vvveb/security/advisori… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44826",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-15T21:11:36.498710Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T21:11:41.143Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/givanz/Vvveb/security/advisories/GHSA-75x2-j47j-mg8j"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Vvveb",
"vendor": "givanz",
"versions": [
{
"status": "affected",
"version": "\u003c 1.0.8.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.2, Vvveb CMS does not validate the sign of the quantity parameter on the cart-add endpoint. Submitting a negative integer is accepted by the server and treated as a normal positive line-item, but with the sign carried through into every downstream computation: line total, sub-total, taxes, and grand total all become negative numbers. The customer-facing cart UI then displays a negative grand total to the user, the checkout flow accepts the negative cart, and the resulting order is persisted in the merchant\u0027s database with a negative total column. From the merchant\u0027s order management dashboard, this surfaces as a real order with a negative total \u2014 an \"the merchant owes the customer money\" record that no legitimate workflow ever creates. This vulnerability is fixed in 1.0.8.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1284",
"description": "CWE-1284: Improper Validation of Specified Quantity in Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T18:37:19.934Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/givanz/Vvveb/security/advisories/GHSA-75x2-j47j-mg8j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/givanz/Vvveb/security/advisories/GHSA-75x2-j47j-mg8j"
}
],
"source": {
"advisory": "GHSA-75x2-j47j-mg8j",
"discovery": "UNKNOWN"
},
"title": "Vvveb: Vvveb CMS \u2014 Negative-quantity cart manipulation allows creation of orders with negative grand totals"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44826",
"datePublished": "2026-05-15T18:37:19.934Z",
"dateReserved": "2026-05-07T21:21:48.351Z",
"dateUpdated": "2026-05-15T21:11:41.143Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44366 (GCVE-0-2026-44366)
Vulnerability from cvelistv5 – Published: 2026-05-15 18:33 – Updated: 2026-05-16 01:15
VLAI
Title
Vvveb: Stored XSS via Comment Author Field
Summary
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.1, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Vvveb CMS comment submission flow. The author field is submitted by an unauthenticated user on any public post page, stored without sanitization, and later rendered unsanitized in two distinct sinks: This vulnerability is fixed in 1.0.8.1.
Severity
6.1 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/givanz/Vvveb/security/advisori… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44366",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-16T01:14:27.783251Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-16T01:15:00.615Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/givanz/Vvveb/security/advisories/GHSA-gpmg-pcxr-9wvf"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Vvveb",
"vendor": "givanz",
"versions": [
{
"status": "affected",
"version": "\u003c 1.0.8.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.1, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Vvveb CMS comment submission flow. The author field is submitted by an unauthenticated user on any public post page, stored without sanitization, and later rendered unsanitized in two distinct sinks: This vulnerability is fixed in 1.0.8.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T18:33:17.691Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/givanz/Vvveb/security/advisories/GHSA-gpmg-pcxr-9wvf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/givanz/Vvveb/security/advisories/GHSA-gpmg-pcxr-9wvf"
}
],
"source": {
"advisory": "GHSA-gpmg-pcxr-9wvf",
"discovery": "UNKNOWN"
},
"title": "Vvveb: Stored XSS via Comment Author Field"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44366",
"datePublished": "2026-05-15T18:33:17.691Z",
"dateReserved": "2026-05-05T20:15:20.631Z",
"dateUpdated": "2026-05-16T01:15:00.615Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41937 (GCVE-0-2026-41937)
Vulnerability from cvelistv5 – Published: 2026-05-14 14:30 – Updated: 2026-05-25 23:42 X_Open Source
VLAI
Title
Vvveb < 1.0.8.3 Unrestricted File Upload RCE via Plugin Upload
Summary
Vvveb before 1.0.8.3 contains an unrestricted file upload vulnerability in the plugin upload endpoint that allows super_admin users to execute arbitrary PHP code by uploading a malicious plugin ZIP file. Attackers can craft a ZIP containing a plugin.php with a valid Slug header and a public/index.php file with arbitrary PHP code, which executes as the web server user once accessed via subsequent unauthenticated HTTP requests to the plugin's public path.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/givanz/Vvveb/releases/tag/1.0.8.3 | release-notes |
| https://github.com/givanz/Vvveb/commit/04f0294350… | patch |
| https://www.vulncheck.com/advisories/vvveb-unrest… | third-party-advisory |
Impacted products
Date Public
2026-05-13 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41937",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T19:01:19.091805Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T19:02:24.088Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Vvveb",
"repo": "https://github.com/givanz/Vvveb",
"vendor": "givanz",
"versions": [
{
"lessThan": "1.0.8.3",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "04f0294350ec429e307cd31c2e777a4797c868d6",
"versionType": "git"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Basant Kumar (@CyberWarrior9)"
},
{
"lang": "en",
"type": "finder",
"value": "VulnCheck"
}
],
"datePublic": "2026-05-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Vvveb before 1.0.8.3 contains an unrestricted file upload vulnerability in the plugin upload endpoint that allows super_admin users to execute arbitrary PHP code by uploading a malicious plugin ZIP file. Attackers can craft a ZIP containing a plugin.php with a valid Slug header and a public/index.php file with arbitrary PHP code, which executes as the web server user once accessed via subsequent unauthenticated HTTP requests to the plugin\u0027s public path."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-61",
"description": "UNIX Symbolic Link (Symlink) Following",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-25T23:42:18.902Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://github.com/givanz/Vvveb/releases/tag/1.0.8.3"
},
{
"tags": [
"patch"
],
"url": "https://github.com/givanz/Vvveb/commit/04f0294350ec429e307cd31c2e777a4797c868d6"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vvveb-unrestricted-file-upload-rce-via-plugin-upload"
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "Vvveb \u003c 1.0.8.3 Unrestricted File Upload RCE via Plugin Upload",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-41937",
"datePublished": "2026-05-14T14:30:52.282Z",
"dateReserved": "2026-04-22T18:50:43.621Z",
"dateUpdated": "2026-05-25T23:42:18.902Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41935 (GCVE-0-2026-41935)
Vulnerability from cvelistv5 – Published: 2026-05-14 14:27 – Updated: 2026-05-14 17:57 X_Open Source
VLAI
Title
Vvveb < 1.0.8.3 Uncontrolled Recursion Denial of Service
Summary
Vvveb before 1.0.8.3 contains an uncontrolled recursion vulnerability in the admin controller dispatch cycle where Base::init() repeatedly invokes permission() on error handlers, causing infinite recursion until PHP memory limits are exhausted. Attackers can send sustained requests to forbidden admin URLs from a low-privilege account to exhaust PHP memory on all workers and cause denial of service to legitimate traffic.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/givanz/Vvveb/releases/tag/1.0.8.3 | release-notes |
| https://github.com/givanz/Vvveb/commit/c766e84b47… | patch |
| https://www.vulncheck.com/advisories/vvveb-uncont… | third-party-advisory |
Impacted products
Date Public
2026-05-13 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41935",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T17:56:56.367051Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T17:57:15.136Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Vvveb",
"repo": "https://github.com/givanz/Vvveb",
"vendor": "givanz",
"versions": [
{
"lessThan": "1.0.8.3",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "c766e84b479dcf1bd1f25a44e4b9c9fa450769c8",
"versionType": "git"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Basant Kumar (@CyberWarrior9)"
},
{
"lang": "en",
"type": "finder",
"value": "VulnCheck"
}
],
"datePublic": "2026-05-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Vvveb before 1.0.8.3 contains an uncontrolled recursion vulnerability in the admin controller dispatch cycle where Base::init() repeatedly invokes permission() on error handlers, causing infinite recursion until PHP memory limits are exhausted. Attackers can send sustained requests to forbidden admin URLs from a low-privilege account to exhaust PHP memory on all workers and cause denial of service to legitimate traffic."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-674",
"description": "Uncontrolled Recursion",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-209",
"description": "Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T15:59:08.531Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://github.com/givanz/Vvveb/releases/tag/1.0.8.3"
},
{
"tags": [
"patch"
],
"url": "https://github.com/givanz/Vvveb/commit/c766e84b479dcf1bd1f25a44e4b9c9fa450769c8"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vvveb-uncontrolled-recursion-denial-of-service"
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "Vvveb \u003c 1.0.8.3 Uncontrolled Recursion Denial of Service",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-41935",
"datePublished": "2026-05-14T14:27:06.987Z",
"dateReserved": "2026-04-22T18:50:43.620Z",
"dateUpdated": "2026-05-14T17:57:15.136Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41933 (GCVE-0-2026-41933)
Vulnerability from cvelistv5 – Published: 2026-05-14 14:23 – Updated: 2026-05-14 15:59 X_Open Source
VLAI
Title
Vvveb < 1.0.8.3 Directory Listing Information Disclosure
Summary
Vvveb before 1.0.8.3 contains a directory listing information disclosure vulnerability that allows unauthenticated attackers to enumerate files and directories by accessing multiple paths lacking proper index directives in .htaccess files. Attackers can access directories such as admin asset paths, plugins, themes, and media folders to view filenames, file sizes, modification timestamps, and unrendered admin templates containing sensitive route maps.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-548 - Exposure of Information Through Directory Listing
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/givanz/Vvveb/releases/tag/1.0.8.3 | release-notes |
| https://github.com/givanz/Vvveb/commit/96ae04c5e4… | patch |
| https://www.vulncheck.com/advisories/vvveb-direct… | third-party-advisory |
Impacted products
Date Public
2026-05-13 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41933",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T15:58:49.831049Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T15:58:59.640Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Vvveb",
"repo": "https://github.com/givanz/Vvveb",
"vendor": "givanz",
"versions": [
{
"lessThan": "1.0.8.3",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "96ae04c5e4a295e281adc1d02d77444173653deb",
"versionType": "git"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Basant Kumar (@CyberWarrior9)"
},
{
"lang": "en",
"type": "finder",
"value": "VulnCheck"
}
],
"datePublic": "2026-05-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Vvveb before 1.0.8.3 contains a directory listing information disclosure vulnerability that allows unauthenticated attackers to enumerate files and directories by accessing multiple paths lacking proper index directives in .htaccess files. Attackers can access directories such as admin asset paths, plugins, themes, and media folders to view filenames, file sizes, modification timestamps, and unrendered admin templates containing sensitive route maps."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-548",
"description": "Exposure of Information Through Directory Listing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T15:59:01.429Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://github.com/givanz/Vvveb/releases/tag/1.0.8.3"
},
{
"tags": [
"patch"
],
"url": "https://github.com/givanz/Vvveb/commit/96ae04c5e4a295e281adc1d02d77444173653deb"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vvveb-directory-listing-information-disclosure"
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "Vvveb \u003c 1.0.8.3 Directory Listing Information Disclosure",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-41933",
"datePublished": "2026-05-14T14:23:59.237Z",
"dateReserved": "2026-04-22T18:50:43.620Z",
"dateUpdated": "2026-05-14T15:59:01.429Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41932 (GCVE-0-2026-41932)
Vulnerability from cvelistv5 – Published: 2026-05-14 14:19 – Updated: 2026-05-14 15:58 X_Open Source
VLAI
Title
Vvveb < 1.0.8.3 Stored XSS via Signup Controller
Summary
Vvveb before 1.0.8.3 contains a stored cross-site scripting vulnerability in the customer signup flow where the Signup::addUser() controller copies raw POST username values into the display_name field before sanitization occurs. Attackers can submit HTML and script markup in the username field during signup, which gets stripped from the username column but persisted verbatim in the display_name column, allowing stored XSS execution when display_name is rendered without encoding in vulnerable views.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/givanz/Vvveb/releases/tag/1.0.8.3 | release-notes |
| https://github.com/givanz/Vvveb/commit/fefac290a8… | patch |
| https://www.vulncheck.com/advisories/vvveb-stored… | third-party-advisory |
Impacted products
Date Public
2026-05-13 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41932",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T15:33:27.478326Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T15:33:51.125Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Vvveb",
"repo": "https://github.com/givanz/Vvveb",
"vendor": "givanz",
"versions": [
{
"lessThan": "1.0.8.3",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "fefac290a8c85d3c87fe80ffed68b6c5bc50e93c",
"versionType": "git"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Basant Kumar (@CyberWarrior9)"
},
{
"lang": "en",
"type": "finder",
"value": "VulnCheck"
}
],
"datePublic": "2026-05-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Vvveb before 1.0.8.3 contains a stored cross-site scripting vulnerability in the customer signup flow where the Signup::addUser() controller copies raw POST username values into the display_name field before sanitization occurs. Attackers can submit HTML and script markup in the username field during signup, which gets stripped from the username column but persisted verbatim in the display_name column, allowing stored XSS execution when display_name is rendered without encoding in vulnerable views."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T15:58:50.959Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://github.com/givanz/Vvveb/releases/tag/1.0.8.3"
},
{
"tags": [
"patch"
],
"url": "https://github.com/givanz/Vvveb/commit/fefac290a8c85d3c87fe80ffed68b6c5bc50e93c"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vvveb-stored-xss-via-signup-controller"
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "Vvveb \u003c 1.0.8.3 Stored XSS via Signup Controller",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-41932",
"datePublished": "2026-05-14T14:19:34.658Z",
"dateReserved": "2026-04-22T18:50:43.620Z",
"dateUpdated": "2026-05-14T15:58:50.959Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41928 (GCVE-0-2026-41928)
Vulnerability from cvelistv5 – Published: 2026-05-07 21:13 – Updated: 2026-05-08 21:29 X_Open Source
VLAI
Title
Vvveb < 1.0.8.2 Information Disclosure via Cron Controller
Summary
Vvveb before 1.0.8.2 contains an information disclosure vulnerability in the cron controller that allows unauthenticated attackers to retrieve the application's secret cron key. Attackers can access the cron controller without authentication and retrieve the exposed secret key from the response, enabling them to trigger scheduled task execution outside of the intended schedule.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/givanz/Vvveb/commit/517bc09faf… | patch |
| https://www.vulncheck.com/advisories/vvveb-inform… | third-party-advisory |
Date Public
2026-05-04 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41928",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T14:36:10.735160Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T21:29:28.507Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Vvveb",
"repo": "https://github.com/givanz/Vvveb",
"vendor": "givanz",
"versions": [
{
"lessThan": "1.0.8.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Basant Kumar (@CyberWarrior9)"
},
{
"lang": "en",
"type": "finder",
"value": "Hamed Kohi (@0xHamy)"
},
{
"lang": "en",
"type": "finder",
"value": "VulnCheck"
}
],
"datePublic": "2026-05-04T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Vvveb before 1.0.8.2 contains an information disclosure vulnerability in the cron controller that allows unauthenticated attackers to retrieve the application\u0027s secret cron key. Attackers can access the cron controller without authentication and retrieve the exposed secret key from the response, enabling them to trigger scheduled task execution outside of the intended schedule."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-497",
"description": "Exposure of Sensitive System Information to an Unauthorized Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T21:13:13.870Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/givanz/Vvveb/commit/517bc09faf44136e72de391aacc8b90a706f7ae7"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vvveb-information-disclosure-via-cron-controller"
}
],
"source": {
"discovery": "UNKNOWN"
},
"tags": [
"x_open-source"
],
"title": "Vvveb \u003c 1.0.8.2 Information Disclosure via Cron Controller",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-41928",
"datePublished": "2026-05-07T21:13:13.870Z",
"dateReserved": "2026-04-22T18:50:43.620Z",
"dateUpdated": "2026-05-08T21:29:28.507Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41929 (GCVE-0-2026-41929)
Vulnerability from cvelistv5 – Published: 2026-05-07 21:08 – Updated: 2026-05-08 14:14 X_Open Source
VLAI
Title
Vvveb < 1.0.8.2 Unauthenticated Reflected XSS via Visual Editor
Summary
Vvveb before 1.0.8.2 contains an unauthenticated reflected cross-site scripting vulnerability in the visual editor preview renderer that allows attackers to execute arbitrary JavaScript by manipulating the r query parameter and _component_ajax POST parameter. Attackers can craft a malicious link or auto-submitted form that causes victims to execute attacker-controlled JavaScript in the context of the Vvveb origin, as the gating function isEditor() performs no session, role, or token verification and the view handler injects raw HTML POST body content without sanitization.
Severity
6.1 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/givanz/Vvveb/releases/tag/1.0.8.2 | release-notes |
| https://github.com/givanz/Vvveb/security/advisori… | vendor-advisory |
| https://github.com/givanz/Vvveb/commit/54a9e846fb… | patch |
| https://www.vulncheck.com/advisories/vvveb-unauth… | third-party-advisory |
Date Public
2026-05-04 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41929",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T14:14:03.265020Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T14:14:11.569Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/givanz/Vvveb/security/advisories/GHSA-wwmv-4g9g-p48g"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Vvveb",
"repo": "https://github.com/givanz/Vvveb",
"vendor": "givanz",
"versions": [
{
"lessThan": "1.0.8.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Basant Kumar (@CyberWarrior9)"
},
{
"lang": "en",
"type": "finder",
"value": "Hamed Kohi (@0xHamy)"
},
{
"lang": "en",
"type": "finder",
"value": "VulnCheck"
}
],
"datePublic": "2026-05-04T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Vvveb before 1.0.8.2 contains an unauthenticated reflected cross-site scripting vulnerability in the visual editor preview renderer that allows attackers to execute arbitrary JavaScript by manipulating the r query parameter and _component_ajax POST parameter. Attackers can craft a malicious link or auto-submitted form that causes victims to execute attacker-controlled JavaScript in the context of the Vvveb origin, as the gating function isEditor() performs no session, role, or token verification and the view handler injects raw HTML POST body content without sanitization."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T21:08:50.762Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://github.com/givanz/Vvveb/releases/tag/1.0.8.2"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/givanz/Vvveb/security/advisories/GHSA-wwmv-4g9g-p48g"
},
{
"tags": [
"patch"
],
"url": "https://github.com/givanz/Vvveb/commit/54a9e846fb94192f1b31ae81d81d25c874662e6a"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vvveb-unauthenticated-reflected-xss-via-visual-editor"
}
],
"source": {
"discovery": "UNKNOWN"
},
"tags": [
"x_open-source"
],
"title": "Vvveb \u003c 1.0.8.2 Unauthenticated Reflected XSS via Visual Editor",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-41929",
"datePublished": "2026-05-07T21:08:50.762Z",
"dateReserved": "2026-04-22T18:50:43.620Z",
"dateUpdated": "2026-05-08T14:14:11.569Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41938 (GCVE-0-2026-41938)
Vulnerability from cvelistv5 – Published: 2026-05-06 18:42 – Updated: 2026-05-25 23:42 X_Open Source
VLAI
Title
Vvveb < 1.0.8.2 RCE via Media Upload Handler
Summary
Vvveb before version 1.0.8.2 contains an unrestricted file upload vulnerability in the media upload handler that allows authenticated users with media-upload permissions to bypass extension restrictions by uploading a .htaccess file to map .phtml extensions to the PHP handler. Attackers can upload a .phtml file containing arbitrary PHP code and execute the uploaded payload through a subsequent unauthenticated HTTP GET request to the uploaded file, resulting in remote code execution with web server privileges.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/givanz/Vvveb/releases/tag/1.0.8.2 | release-notes |
| https://github.com/givanz/Vvveb/security/advisori… | vendor-advisory |
| https://github.com/givanz/Vvveb/commit/54a9e846fb… | patch |
| https://www.vulncheck.com/advisories/vvveb-rce-vi… | third-party-advisory |
Date Public
2026-05-04 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41938",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-06T19:25:19.039828Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T19:25:41.446Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/givanz/Vvveb/security/advisories/GHSA-wwmv-4g9g-p48g"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Vvveb",
"vendor": "givanz",
"versions": [
{
"lessThan": "1.0.8.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Basant Kumar (@CyberWarrior9)"
},
{
"lang": "en",
"type": "finder",
"value": "VulnCheck"
}
],
"datePublic": "2026-05-04T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Vvveb before version 1.0.8.2 contains an unrestricted file upload vulnerability in the media upload handler that allows authenticated users with media-upload permissions to bypass extension restrictions by uploading a .htaccess file to map .phtml extensions to the PHP handler. Attackers can upload a .phtml file containing arbitrary PHP code and execute the uploaded payload through a subsequent unauthenticated HTTP GET request to the uploaded file, resulting in remote code execution with web server privileges."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-25T23:42:19.591Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://github.com/givanz/Vvveb/releases/tag/1.0.8.2"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/givanz/Vvveb/security/advisories/GHSA-wwmv-4g9g-p48g"
},
{
"tags": [
"patch"
],
"url": "https://github.com/givanz/Vvveb/commit/54a9e846fb94192f1b31ae81d81d25c874662e6a"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vvveb-rce-via-media-upload-handler"
}
],
"source": {
"discovery": "UNKNOWN"
},
"tags": [
"x_open-source"
],
"title": "Vvveb \u003c 1.0.8.2 RCE via Media Upload Handler",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-41938",
"datePublished": "2026-05-06T18:42:35.890Z",
"dateReserved": "2026-04-22T18:50:43.621Z",
"dateUpdated": "2026-05-25T23:42:19.591Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41930 (GCVE-0-2026-41930)
Vulnerability from cvelistv5 – Published: 2026-05-06 18:37 – Updated: 2026-05-08 14:05 X_Open Source
VLAI
Title
Vvveb < 1.0.8.2 Hard-coded Credentials Information Disclosure via phpMyAdmin
Summary
Vvveb before version 1.0.8.2 contains a hard-coded credentials vulnerability in its docker-compose-apache.yaml configuration that allows unauthenticated attackers to access the bundled phpMyAdmin container with pre-configured database credentials. Attackers can connect to the phpMyAdmin port to gain unrestricted read and write access to the entire Vvveb database, including administrator password hashes, customer personally identifiable information, and order data, enabling account takeover and data manipulation.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/givanz/Vvveb/releases/tag/1.0.8.2 | release-notes |
| https://github.com/givanz/Vvveb/security/advisori… | vendor-advisory |
| https://github.com/givanz/Vvveb/commit/f85ca7c2bc… | patch |
| https://www.vulncheck.com/advisories/vvveb-hard-c… | third-party-advisory |
Date Public
2026-05-04 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41930",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-06T19:33:47.958860Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T19:34:56.694Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/givanz/Vvveb/security/advisories/GHSA-g38h-mr9p-fjmf"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Vvveb",
"vendor": "givanz",
"versions": [
{
"lessThan": "1.0.8.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Basant Kumar (@CyberWarrior9)"
},
{
"lang": "en",
"type": "finder",
"value": "Hamed Kohi (@0xhamy)"
},
{
"lang": "en",
"type": "finder",
"value": "VulnCheck"
}
],
"datePublic": "2026-05-04T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Vvveb before version 1.0.8.2 contains a hard-coded credentials vulnerability in its docker-compose-apache.yaml configuration that allows unauthenticated attackers to access the bundled phpMyAdmin container with pre-configured database credentials. Attackers can connect to the phpMyAdmin port to gain unrestricted read and write access to the entire Vvveb database, including administrator password hashes, customer personally identifiable information, and order data, enabling account takeover and data manipulation."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T14:05:14.864Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://github.com/givanz/Vvveb/releases/tag/1.0.8.2"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/givanz/Vvveb/security/advisories/GHSA-g38h-mr9p-fjmf"
},
{
"tags": [
"patch"
],
"url": "https://github.com/givanz/Vvveb/commit/f85ca7c2bc389bda3cc2eca87b2514581a628c32"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vvveb-hard-coded-credentials-information-disclosure-via-phpmyadmin"
}
],
"source": {
"discovery": "UNKNOWN"
},
"tags": [
"x_open-source"
],
"title": "Vvveb \u003c 1.0.8.2 Hard-coded Credentials Information Disclosure via phpMyAdmin",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-41930",
"datePublished": "2026-05-06T18:37:45.989Z",
"dateReserved": "2026-04-22T18:50:43.620Z",
"dateUpdated": "2026-05-08T14:05:14.864Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41931 (GCVE-0-2026-41931)
Vulnerability from cvelistv5 – Published: 2026-05-06 18:36 – Updated: 2026-05-08 14:05 X_Open Source
VLAI
Title
Vvveb < 1.0.8.2 Information Disclosure via Debug Exception Handler
Summary
Vvveb before version 1.0.8.2 contains an information disclosure vulnerability that allows unauthenticated attackers to obtain sensitive server information by triggering unhandled exceptions in the password-reset module. Attackers can access the admin password-reset endpoint to trigger a fatal error caused by a missing namespace import, which exposes the absolute server file path, internal class namespaces, line numbers, and source code excerpts through the debug exception handler rendered to unauthenticated requests.
Severity
5.3 (Medium)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/givanz/Vvveb/releases/tag/1.0.8.2 | release-notes |
| https://github.com/givanz/Vvveb/security/advisori… | vendor-advisory |
| https://www.vulncheck.com/advisories/vvveb-inform… | third-party-advisory |
Date Public
2026-05-04 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41931",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-06T19:40:49.354609Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T19:42:17.377Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/givanz/Vvveb/security/advisories/GHSA-xgvg-r47g-786r"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Vvveb",
"vendor": "givanz",
"versions": [
{
"lessThan": "1.0.8.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Basant Kumar (@CyberWarrior9)"
},
{
"lang": "en",
"type": "finder",
"value": "Hamed Kohi (@0xhamy)"
},
{
"lang": "en",
"type": "finder",
"value": "VulnCheck"
}
],
"datePublic": "2026-05-04T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Vvveb before version 1.0.8.2 contains an information disclosure vulnerability that allows unauthenticated attackers to obtain sensitive server information by triggering unhandled exceptions in the password-reset module. Attackers can access the admin password-reset endpoint to trigger a fatal error caused by a missing namespace import, which exposes the absolute server file path, internal class namespaces, line numbers, and source code excerpts through the debug exception handler rendered to unauthenticated requests."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1188",
"description": "Initialization of a Resource with an Insecure Default",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-209",
"description": "Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T14:05:06.295Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://github.com/givanz/Vvveb/releases/tag/1.0.8.2"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/givanz/Vvveb/security/advisories/GHSA-xgvg-r47g-786r"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vvveb-information-disclosure-via-debug-exception-handler"
}
],
"source": {
"discovery": "UNKNOWN"
},
"tags": [
"x_open-source"
],
"title": "Vvveb \u003c 1.0.8.2 Information Disclosure via Debug Exception Handler",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-41931",
"datePublished": "2026-05-06T18:36:13.363Z",
"dateReserved": "2026-04-22T18:50:43.620Z",
"dateUpdated": "2026-05-08T14:05:06.295Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41934 (GCVE-0-2026-41934)
Vulnerability from cvelistv5 – Published: 2026-05-06 18:34 – Updated: 2026-05-25 23:42 X_Open Source
VLAI
Title
Vvveb < 1.0.8.2 Authenticated RCE via Code Editor
Summary
Vvveb before version 1.0.8.2 contains an authenticated remote code execution vulnerability in the admin code editor that allows low-privilege authenticated users to execute arbitrary code through insufficient file extension restrictions, with the uploaded payload then executable via subsequent unauthenticated HTTP requests. Attackers with editor, author, contributor, or site_admin roles can write a malicious .htaccess file to map arbitrary extensions to the PHP handler, then upload PHP code with that extension to achieve unauthenticated remote code execution when the file is accessed via HTTP.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-184 - Incomplete List of Disallowed Inputs
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/givanz/Vvveb/releases/tag/1.0.8.2 | release-notes |
| https://github.com/givanz/Vvveb/security/advisori… | vendor-advisory |
| https://github.com/givanz/Vvveb/commit/1196561276… | patch |
| https://www.vulncheck.com/advisories/vvveb-authen… | third-party-advisory |
Date Public
2026-05-04 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41934",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-06T19:16:50.924960Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T19:16:58.180Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Vvveb",
"vendor": "givanz",
"versions": [
{
"lessThan": "1.0.8.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Basant Kumar (@CyberWarrior9)"
},
{
"lang": "en",
"type": "finder",
"value": "Hamed Kohi (@0xhamy)"
},
{
"lang": "en",
"type": "finder",
"value": "VulnCheck"
}
],
"datePublic": "2026-05-04T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Vvveb before version 1.0.8.2 contains an authenticated remote code execution vulnerability in the admin code editor that allows low-privilege authenticated users to execute arbitrary code through insufficient file extension restrictions, with the uploaded payload then executable via subsequent unauthenticated HTTP requests. Attackers with editor, author, contributor, or site_admin roles can write a malicious .htaccess file to map arbitrary extensions to the PHP handler, then upload PHP code with that extension to achieve unauthenticated remote code execution when the file is accessed via HTTP."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-184",
"description": "Incomplete List of Disallowed Inputs",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-25T23:42:18.135Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://github.com/givanz/Vvveb/releases/tag/1.0.8.2"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/givanz/Vvveb/security/advisories/GHSA-vfjj-gcvv-w248"
},
{
"tags": [
"patch"
],
"url": "https://github.com/givanz/Vvveb/commit/1196561276a3f49da5a714fef89ac9a6c6f9e33b"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vvveb-authenticated-rce-via-code-editor"
}
],
"source": {
"discovery": "UNKNOWN"
},
"tags": [
"x_open-source"
],
"title": "Vvveb \u003c 1.0.8.2 Authenticated RCE via Code Editor",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-41934",
"datePublished": "2026-05-06T18:34:54.273Z",
"dateReserved": "2026-04-22T18:50:43.620Z",
"dateUpdated": "2026-05-25T23:42:18.135Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41936 (GCVE-0-2026-41936)
Vulnerability from cvelistv5 – Published: 2026-05-06 18:27 – Updated: 2026-05-08 14:04 X_Open Source
VLAI
Title
Vvveb < 1.0.8.2 XML External Entity Injection via Import
Summary
Vvveb before version 1.0.8.2 contains an XML external entity (XXE) injection vulnerability in the admin Tools/Import feature that allows authenticated site_admin users to read arbitrary files and modify database records. Attackers can exploit the XML parser configuration in system/import/xml.php to inject file:// or php://filter entity references that are resolved and persisted into the application database, enabling arbitrary file disclosure and administrator password hash overwriting for privilege escalation.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/givanz/Vvveb/releases/tag/1.0.8.2 | release-notes |
| https://github.com/givanz/Vvveb/security/advisori… | vendor-advisory |
| https://github.com/givanz/Vvveb/commit/86f7128a18… | patch |
| https://www.vulncheck.com/advisories/vvveb-xml-ex… | third-party-advisory |
Date Public
2026-05-04 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41936",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-06T19:25:36.069051Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T19:25:51.012Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/givanz/Vvveb/security/advisories/GHSA-rfxr-4xpm-wrp7"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Vvveb",
"vendor": "givanz",
"versions": [
{
"lessThan": "1.0.8.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Basant Kumar (@CyberWarrior9)"
},
{
"lang": "en",
"type": "finder",
"value": "VulnCheck"
}
],
"datePublic": "2026-05-04T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Vvveb before version 1.0.8.2 contains an XML external entity (XXE) injection vulnerability in the admin Tools/Import feature that allows authenticated site_admin users to read arbitrary files and modify database records. Attackers can exploit the XML parser configuration in system/import/xml.php to inject file:// or php://filter entity references that are resolved and persisted into the application database, enabling arbitrary file disclosure and administrator password hash overwriting for privilege escalation."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T14:04:43.797Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://github.com/givanz/Vvveb/releases/tag/1.0.8.2"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/givanz/Vvveb/security/advisories/GHSA-rfxr-4xpm-wrp7"
},
{
"tags": [
"patch"
],
"url": "https://github.com/givanz/Vvveb/commit/86f7128a18edebe0ff47e3855558467eb0ef9106"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vvveb-xml-external-entity-injection-via-import"
}
],
"source": {
"discovery": "UNKNOWN"
},
"tags": [
"x_open-source"
],
"title": "Vvveb \u003c 1.0.8.2 XML External Entity Injection via Import",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-41936",
"datePublished": "2026-05-06T18:27:42.011Z",
"dateReserved": "2026-04-22T18:50:43.620Z",
"dateUpdated": "2026-05-08T14:04:43.797Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-39918 (GCVE-0-2026-39918)
Vulnerability from cvelistv5 – Published: 2026-04-20 14:46 – Updated: 2026-05-08 14:08
VLAI
Title
Vvveb < 1.0.8.1 Code Injection via Installation Endpoint
Summary
Vvveb prior to 1.0.8.1 contains a code injection vulnerability in the installation endpoint where the subdir POST parameter is written unsanitized into the env.php configuration file without escaping or validation. Attackers can inject arbitrary PHP code by breaking out of the string context in the define statement to achieve unauthenticated remote code execution as the web server user.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/givanz/Vvveb/releases/tag/1.0.8.1 | release-notes |
| https://github.com/givanz/Vvveb/commit/5162c16391… | patch |
| https://www.vulncheck.com/advisories/vvveb-code-i… | third-party-advisory |
Impacted products
Date Public
2026-04-20 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-39918",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-20T15:30:35.694606Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T15:36:55.619Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Vvveb",
"repo": "https://github.com/givanz/Vvveb",
"vendor": "givanz",
"versions": [
{
"lessThan": "1.0.8.1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "5162c1639130bd080ab63c7d856788cd59d6b3b7",
"versionType": "git"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mohammed EL OUARDANI (sh4dowalker)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulnCheck"
}
],
"datePublic": "2026-04-20T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Vvveb prior to\u00a01.0.8.1 contains a code injection vulnerability in the installation endpoint where the subdir POST parameter is written unsanitized into the env.php configuration file without escaping or validation. Attackers can inject arbitrary PHP code by breaking out of the string context in the define statement to achieve unauthenticated remote code execution as the web server user."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T14:08:40.514Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://github.com/givanz/Vvveb/releases/tag/1.0.8.1"
},
{
"tags": [
"patch"
],
"url": "https://github.com/givanz/Vvveb/commit/5162c1639130bd080ab63c7d856788cd59d6b3b7"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vvveb-code-injection-via-installation-endpoint"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Vvveb \u003c 1.0.8.1 Code Injection via Installation Endpoint",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-39918",
"datePublished": "2026-04-20T14:46:33.549Z",
"dateReserved": "2026-04-07T20:57:06.209Z",
"dateUpdated": "2026-05-08T14:08:40.514Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34428 (GCVE-0-2026-34428)
Vulnerability from cvelistv5 – Published: 2026-04-20 13:55 – Updated: 2026-05-08 13:56
VLAI
Title
Vvveb < 1.0.8.1 SSRF via oEmbedProxy
Summary
Vvveb prior to 1.0.8.1 contains a server-side request forgery vulnerability in the oEmbedProxy action of the editor/editor module where the url parameter is passed directly to getUrl() via curl without scheme or destination validation. Authenticated backend users can supply file:// URLs to read arbitrary files readable by the web server process or http:// URLs targeting internal network addresses to probe internal services, with response bodies returned directly to the caller.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/givanz/Vvveb/releases/tag/1.0.8.1 | release-notes |
| https://github.com/givanz/Vvveb/commit/2d356844f3… | patch |
| https://www.vulncheck.com/advisories/vvveb-ssrf-v… | third-party-advisory |
Impacted products
Date Public
2026-04-17 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34428",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-20T14:44:41.884576Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T14:49:33.646Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Vvveb",
"repo": "https://github.com/givanz/Vvveb",
"vendor": "givanz",
"versions": [
{
"lessThan": "1.0.8.1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2d356844f37819bf771e7cd5e12a8686975e0b2b",
"versionType": "git"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Hamed Kohi of Delta Obscura"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulnCheck"
}
],
"datePublic": "2026-04-17T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Vvveb prior to\u00a01.0.8.1 contains a server-side request forgery vulnerability in the oEmbedProxy action of the editor/editor module where the url parameter is passed directly to getUrl() via curl without scheme or destination validation. Authenticated backend users can supply file:// URLs to read arbitrary files readable by the web server process or http:// URLs targeting internal network addresses to probe internal services, with response bodies returned directly to the caller."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T13:56:12.911Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://github.com/givanz/Vvveb/releases/tag/1.0.8.1"
},
{
"tags": [
"patch"
],
"url": "https://github.com/givanz/Vvveb/commit/2d356844f37819bf771e7cd5e12a8686975e0b2b"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vvveb-ssrf-via-oembedproxy"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Vvveb \u003c 1.0.8.1 SSRF via oEmbedProxy",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-34428",
"datePublished": "2026-04-20T13:55:36.802Z",
"dateReserved": "2026-03-27T15:24:06.752Z",
"dateUpdated": "2026-05-08T13:56:12.911Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34427 (GCVE-0-2026-34427)
Vulnerability from cvelistv5 – Published: 2026-04-20 13:55 – Updated: 2026-05-08 13:55 X_Open Source
VLAI
Title
Vvveb < 1.0.8.1 Privilege Escalation via admin/user/save
Summary
Vvveb prior to 1.0.8.1 contains a privilege escalation vulnerability in the admin user profile save endpoint that allows authenticated users to modify privileged fields on their own profile. Attackers can inject role_id=1 into profile save requests to escalate to Super Administrator privileges, enabling plugin upload functionality for remote code execution.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/givanz/Vvveb/releases/tag/1.0.8.1 | release-notes |
| https://github.com/givanz/Vvveb/commit/0eca14af50… | patch |
| https://www.vulncheck.com/advisories/vvveb-privil… | third-party-advisory |
Impacted products
Date Public
2026-04-17 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34427",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-20T14:50:56.641018Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T14:51:12.245Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Vvveb",
"repo": "https://github.com/givanz/Vvveb",
"vendor": "givanz",
"versions": [
{
"lessThan": "1.0.8.1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "0eca14af50f038915b8bf7ceec2becf6b6720b0a",
"versionType": "git"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Hamed Kohi of Delta Obscura"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulnCheck"
}
],
"datePublic": "2026-04-17T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Vvveb prior to\u00a01.0.8.1 contains a privilege escalation vulnerability in the admin user profile save endpoint that allows authenticated users to modify privileged fields on their own profile. Attackers can inject role_id=1 into profile save requests to escalate to Super Administrator privileges, enabling plugin upload functionality for remote code execution."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T13:55:54.271Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://github.com/givanz/Vvveb/releases/tag/1.0.8.1"
},
{
"tags": [
"patch"
],
"url": "https://github.com/givanz/Vvveb/commit/0eca14af50f038915b8bf7ceec2becf6b6720b0a"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vvveb-privilege-escalation-via-admin-user-save"
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "Vvveb \u003c 1.0.8.1 Privilege Escalation via admin/user/save",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-34427",
"datePublished": "2026-04-20T13:55:15.311Z",
"dateReserved": "2026-03-27T15:24:06.752Z",
"dateUpdated": "2026-05-08T13:55:54.271Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34429 (GCVE-0-2026-34429)
Vulnerability from cvelistv5 – Published: 2026-04-20 13:54 – Updated: 2026-05-08 13:56 X_Open Source
VLAI
Title
Vvveb < 1.0.8.1 Stored XSS via Media Upload and Rename
Summary
Vvveb prior to 1.0.8.1 contains a stored cross-site scripting vulnerability that allows authenticated users with media upload and rename permissions to execute arbitrary JavaScript by bypassing MIME type validation and renaming uploaded files to executable extensions. Attackers can prepend a GIF89a header to HTML/JavaScript payloads to bypass upload validation, rename the file to .html extension, and execute malicious scripts in an administrator's browser session to create backdoor accounts and upload malicious plugins for remote code execution.
Severity
5.4 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://delta.cyberm.ca/bugbin/ur66bvB7BYTC9y0eCI… | technical-descriptionexploit |
| https://github.com/givanz/Vvveb/security/advisori… | vendor-advisory |
| https://github.com/givanz/Vvveb/releases/tag/1.0.8.1 | release-notes |
| https://github.com/givanz/Vvveb/commit/cc997d3359… | patch |
| https://www.vulncheck.com/advisories/vvveb-stored… | third-party-advisory |
Impacted products
Date Public
2026-04-17 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34429",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-20T14:50:07.310752Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T14:56:19.205Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Vvveb",
"repo": "https://github.com/givanz/Vvveb",
"vendor": "givanz",
"versions": [
{
"lessThan": "1.0.8.1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "cc997d3359ea5e49a45c132f5dee3bc80fb441d7",
"versionType": "git"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Hamed Kohi"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulnCheck"
}
],
"datePublic": "2026-04-17T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Vvveb prior to\u00a01.0.8.1 contains a stored cross-site scripting vulnerability that allows authenticated users with media upload and rename permissions to execute arbitrary JavaScript by bypassing MIME type validation and renaming uploaded files to executable extensions. Attackers can prepend a GIF89a header to HTML/JavaScript payloads to bypass upload validation, rename the file to .html extension, and execute malicious scripts in an administrator\u0027s browser session to create backdoor accounts and upload malicious plugins for remote code execution."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T13:56:28.718Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description",
"exploit"
],
"url": "https://delta.cyberm.ca/bugbin/ur66bvB7BYTC9y0eCIk3uzhZQgbjzAkG/"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/givanz/Vvveb/security/advisories/GHSA-2vc4-49hq-g7f4"
},
{
"tags": [
"release-notes"
],
"url": "https://github.com/givanz/Vvveb/releases/tag/1.0.8.1"
},
{
"tags": [
"patch"
],
"url": "https://github.com/givanz/Vvveb/commit/cc997d3359ea5e49a45c132f5dee3bc80fb441d7"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vvveb-stored-xss-via-media-upload-and-rename"
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "Vvveb \u003c 1.0.8.1 Stored XSS via Media Upload and Rename",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-34429",
"datePublished": "2026-04-20T13:54:37.019Z",
"dateReserved": "2026-03-27T15:24:06.752Z",
"dateUpdated": "2026-05-08T13:56:28.718Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5615 (GCVE-0-2026-5615)
Vulnerability from cvelistv5 – Published: 2026-04-06 03:00 – Updated: 2026-04-06 14:38 X_Open Source
VLAI
Title
givanz Vvvebjs File Upload Endpoint upload.php cross site scripting
Summary
A weakness has been identified in givanz Vvvebjs up to 2.0.5. The affected element is an unknown function of the file upload.php of the component File Upload Endpoint. This manipulation of the argument uploadAllowExtensions causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. Patch name: 8cac22cff99b8bc701c408aa8e887fa702755336. Applying a patch is the recommended action to fix this issue. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/355406 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/355406/cti | signaturepermissions-required |
| https://vuldb.com/submit/785563 | third-party-advisory |
| https://tcn60zf28jhk.feishu.cn/wiki/Cr4KwMPiMi65f… | exploit |
| https://github.com/givanz/VvvebJs/commit/8cac22cf… | patch |
| https://github.com/givanz/VvvebJs/ | product |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5615",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-06T14:30:40.285389Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T14:38:39.145Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"File Upload Endpoint"
],
"product": "Vvvebjs",
"vendor": "givanz",
"versions": [
{
"status": "affected",
"version": "2.0.0"
},
{
"status": "affected",
"version": "2.0.1"
},
{
"status": "affected",
"version": "2.0.2"
},
{
"status": "affected",
"version": "2.0.3"
},
{
"status": "affected",
"version": "2.0.4"
},
{
"status": "affected",
"version": "2.0.5"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "EthX0_ (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in givanz Vvvebjs up to 2.0.5. The affected element is an unknown function of the file upload.php of the component File Upload Endpoint. This manipulation of the argument uploadAllowExtensions causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. Patch name: 8cac22cff99b8bc701c408aa8e887fa702755336. Applying a patch is the recommended action to fix this issue. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T03:00:53.659Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-355406 | givanz Vvvebjs File Upload Endpoint upload.php cross site scripting",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/355406"
},
{
"name": "VDB-355406 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/355406/cti"
},
{
"name": "Submit #785563 | givanz VvvebJs 2.0.5 Stored XSS",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/785563"
},
{
"tags": [
"exploit"
],
"url": "https://tcn60zf28jhk.feishu.cn/wiki/Cr4KwMPiMi65fFkI9Vyc3oX2n0f?from=from_copylink"
},
{
"tags": [
"patch"
],
"url": "https://github.com/givanz/VvvebJs/commit/8cac22cff99b8bc701c408aa8e887fa702755336"
},
{
"tags": [
"product"
],
"url": "https://github.com/givanz/VvvebJs/"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-04-05T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-05T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-05T17:37:20.000Z",
"value": "VulDB entry last update"
}
],
"title": "givanz Vvvebjs File Upload Endpoint upload.php cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-5615",
"datePublished": "2026-04-06T03:00:53.659Z",
"dateReserved": "2026-04-05T15:32:16.771Z",
"dateUpdated": "2026-04-06T14:38:39.145Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12203 (GCVE-0-2025-12203)
Vulnerability from cvelistv5 – Published: 2025-10-27 02:02 – Updated: 2026-02-24 07:03 X_Open Source
VLAI
Title
givanz Vvveb Code Editor functions.php sanitizeFileName path traversal
Summary
A weakness has been identified in givanz Vvveb up to 1.0.7.3. This issue affects the function sanitizeFileName of the file system/functions.php of the component Code Editor. Executing a manipulation of the argument File can lead to path traversal. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. This patch is called b0fa7ff74a3539c6d37000db152caad572e4c39b. Applying a patch is advised to resolve this issue.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Path Traversal
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.329873 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.329873 | signaturepermissions-required |
| https://vuldb.com/?submit.673159 | third-party-advisory |
| https://github.com/givanz/Vvveb/issues/333 | exploitissue-tracking |
| https://github.com/givanz/Vvveb/commit/b0fa7ff74a… | patch |
| https://github.com/givanz/Vvveb/ | product |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12203",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-27T20:01:37.122363Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-27T20:01:52.199Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:vvveb:vvveb:*:*:*:*:*:*:*:*"
],
"modules": [
"Code Editor"
],
"product": "Vvveb",
"vendor": "givanz",
"versions": [
{
"status": "affected",
"version": "1.0.7.0"
},
{
"status": "affected",
"version": "1.0.7.1"
},
{
"status": "affected",
"version": "1.0.7.2"
},
{
"status": "affected",
"version": "1.0.7.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Huu1j (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in givanz Vvveb up to 1.0.7.3. This issue affects the function sanitizeFileName of the file system/functions.php of the component Code Editor. Executing a manipulation of the argument File can lead to path traversal. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. This patch is called b0fa7ff74a3539c6d37000db152caad572e4c39b. Applying a patch is advised to resolve this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-24T07:03:23.983Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-329873 | givanz Vvveb Code Editor functions.php sanitizeFileName path traversal",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.329873"
},
{
"name": "VDB-329873 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.329873"
},
{
"name": "Submit #673159 | givanz Vvveb 1.0.7.3 Path traversal",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.673159"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/givanz/Vvveb/issues/333"
},
{
"tags": [
"patch"
],
"url": "https://github.com/givanz/Vvveb/commit/b0fa7ff74a3539c6d37000db152caad572e4c39b"
},
{
"tags": [
"product"
],
"url": "https://github.com/givanz/Vvveb/"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2025-10-25T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-10-25T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-11-07T19:28:31.000Z",
"value": "VulDB entry last update"
}
],
"title": "givanz Vvveb Code Editor functions.php sanitizeFileName path traversal"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-12203",
"datePublished": "2025-10-27T02:02:06.391Z",
"dateReserved": "2025-10-25T06:27:34.713Z",
"dateUpdated": "2026-02-24T07:03:23.983Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11944 (GCVE-0-2025-11944)
Vulnerability from cvelistv5 – Published: 2025-10-19 20:02 – Updated: 2026-02-24 07:02 X_Open Source
VLAI
Title
givanz Vvveb Raw SQL import.php import sql injection
Summary
A vulnerability was determined in givanz Vvveb up to 1.0.7.3. This affects the function Import of the file admin/controller/tools/import.php of the component Raw SQL Handler. This manipulation causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. Patch name: 52204b4a106b2fb02d16eee06a88a1f2697f9b35. It is recommended to apply a patch to fix this issue.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.329024 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.329024 | signaturepermissions-required |
| https://vuldb.com/?submit.673129 | third-party-advisory |
| https://github.com/givanz/Vvveb/issues/332 | issue-tracking |
| https://github.com/givanz/Vvveb/issues/332#issue-… | exploitissue-tracking |
| https://github.com/givanz/Vvveb/commit/52204b4a10… | patch |
| https://github.com/givanz/Vvveb/ | product |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11944",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-20T16:05:32.302799Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-20T16:05:39.358Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:vvveb:vvveb:*:*:*:*:*:*:*:*"
],
"modules": [
"Raw SQL Handler"
],
"product": "Vvveb",
"vendor": "givanz",
"versions": [
{
"status": "affected",
"version": "1.0.7.0"
},
{
"status": "affected",
"version": "1.0.7.1"
},
{
"status": "affected",
"version": "1.0.7.2"
},
{
"status": "affected",
"version": "1.0.7.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Huu1j (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in givanz Vvveb up to 1.0.7.3. This affects the function Import of the file admin/controller/tools/import.php of the component Raw SQL Handler. This manipulation causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. Patch name: 52204b4a106b2fb02d16eee06a88a1f2697f9b35. It is recommended to apply a patch to fix this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.8,
"vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "SQL Injection",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-24T07:02:19.981Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-329024 | givanz Vvveb Raw SQL import.php import sql injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.329024"
},
{
"name": "VDB-329024 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.329024"
},
{
"name": "Submit #673129 | givanz Vvveb 1.0.7.3 SQL Injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.673129"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/givanz/Vvveb/issues/332"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/givanz/Vvveb/issues/332#issue-3505043543"
},
{
"tags": [
"patch"
],
"url": "https://github.com/givanz/Vvveb/commit/52204b4a106b2fb02d16eee06a88a1f2697f9b35"
},
{
"tags": [
"product"
],
"url": "https://github.com/givanz/Vvveb/"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2025-10-19T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-10-19T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-10-24T04:20:23.000Z",
"value": "VulDB entry last update"
}
],
"title": "givanz Vvveb Raw SQL import.php import sql injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-11944",
"datePublished": "2025-10-19T20:02:06.771Z",
"dateReserved": "2025-10-19T02:42:20.402Z",
"dateUpdated": "2026-02-24T07:02:19.981Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11029 (GCVE-0-2025-11029)
Vulnerability from cvelistv5 – Published: 2025-09-26 16:32 – Updated: 2025-09-26 17:51
VLAI
Title
givanz Vvveb cross-site request forgery
Summary
A weakness has been identified in givanz Vvveb up to 1.0.7.2. This vulnerability affects unknown code. Executing manipulation can lead to cross-site request forgery. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. Once again the project maintainer reacted very professional: "I accept the existence of these vulnerabilities. (...) I fixed the code to remove these vulnerabilities and will push the code to github and make a new release."
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.325967 | vdb-entry |
| https://vuldb.com/?ctiid.325967 | signaturepermissions-required |
| https://vuldb.com/?submit.657188 | third-party-advisory |
| https://vuldb.com/?submit.657190 | third-party-advisory |
| https://vuldb.com/?submit.657191 | third-party-advisory |
| https://vuldb.com/?submit.657192 | third-party-advisory |
| https://gist.github.com/KhanMarshaI/165ae8f63ec6b… | related |
| https://gist.github.com/KhanMarshaI/db888b65cfd75… | exploit |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11029",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-26T17:35:11.224335Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-26T17:51:15.246Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/KhanMarshaI/165ae8f63ec6b5fdf1f4123252499fce"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/KhanMarshaI/db888b65cfd75bead2035348babfb423"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Vvveb",
"vendor": "givanz",
"versions": [
{
"status": "affected",
"version": "1.0.7.0"
},
{
"status": "affected",
"version": "1.0.7.1"
},
{
"status": "affected",
"version": "1.0.7.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "KhanMarshal (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in givanz Vvveb up to 1.0.7.2. This vulnerability affects unknown code. Executing manipulation can lead to cross-site request forgery. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. Once again the project maintainer reacted very professional: \"I accept the existence of these vulnerabilities. (...) I fixed the code to remove these vulnerabilities and will push the code to github and make a new release.\""
},
{
"lang": "de",
"value": "In givanz Vvveb up to 1.0.7.2 ist eine Schwachstelle entdeckt worden. Davon betroffen ist unbekannter Code. Mittels dem Manipulieren mit unbekannten Daten kann eine cross-site request forgery-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Die Schwachstelle wurde \u00f6ffentlich offengelegt und k\u00f6nnte ausgenutzt werden."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "Cross-Site Request Forgery",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-26T16:32:05.672Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-325967 | givanz Vvveb cross-site request forgery",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.325967"
},
{
"name": "VDB-325967 | CTI Indicators (IOB, IOC)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.325967"
},
{
"name": "Submit #657188 | givanz Vvveb Vvveb 1.0.7.2 State-Changing GET Request",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.657188"
},
{
"name": "Submit #657190 | givanz Vvveb Vvveb 1.0.7.2 State-Changing GET Request (Duplicate)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.657190"
},
{
"name": "Submit #657191 | givanz Vvveb Vvveb 1.0.7.2 State-Changing GET Request (Duplicate)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.657191"
},
{
"name": "Submit #657192 | givanz Vvveb Vvveb 1.0.7.2 State-Changing GET Request (Duplicate)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.657192"
},
{
"tags": [
"related"
],
"url": "https://gist.github.com/KhanMarshaI/165ae8f63ec6b5fdf1f4123252499fce"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/KhanMarshaI/db888b65cfd75bead2035348babfb423"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-26T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-09-26T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-09-26T10:29:45.000Z",
"value": "VulDB entry last update"
}
],
"title": "givanz Vvveb cross-site request forgery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-11029",
"datePublished": "2025-09-26T16:32:05.672Z",
"dateReserved": "2025-09-26T08:24:09.505Z",
"dateUpdated": "2025-09-26T17:51:15.246Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-11028 (GCVE-0-2025-11028)
Vulnerability from cvelistv5 – Published: 2025-09-26 16:02 – Updated: 2025-09-26 17:51
VLAI
Title
givanz Vvveb Image information disclosure
Summary
A security flaw has been discovered in givanz Vvveb up to 1.0.7.2. This affects an unknown part of the component Image Handler. Performing manipulation results in information disclosure. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. Once again the project maintainer reacted very professional: "I accept the existence of these vulnerabilities. (...) I fixed the code to remove these vulnerabilities and will push the code to github and make a new release."
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.325966 | vdb-entry |
| https://vuldb.com/?ctiid.325966 | signaturepermissions-required |
| https://vuldb.com/?submit.657185 | third-party-advisory |
| https://gist.github.com/KhanMarshaI/9a1a5b72ff7a0… | exploit |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11028",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-26T17:35:44.145051Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-26T17:51:32.848Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/KhanMarshaI/9a1a5b72ff7a0a9d180ca77d26814bc7"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Image Handler"
],
"product": "Vvveb",
"vendor": "givanz",
"versions": [
{
"status": "affected",
"version": "1.0.7.0"
},
{
"status": "affected",
"version": "1.0.7.1"
},
{
"status": "affected",
"version": "1.0.7.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "KhanMarshal (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in givanz Vvveb up to 1.0.7.2. This affects an unknown part of the component Image Handler. Performing manipulation results in information disclosure. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. Once again the project maintainer reacted very professional: \"I accept the existence of these vulnerabilities. (...) I fixed the code to remove these vulnerabilities and will push the code to github and make a new release.\""
},
{
"lang": "de",
"value": "In givanz Vvveb up to 1.0.7.2 wurde eine Schwachstelle gefunden. Hierbei betrifft es unbekannten Programmcode der Komponente Image Handler. Durch Manipulation mit unbekannten Daten kann eine information disclosure-Schwachstelle ausgenutzt werden. Der Angriff l\u00e4sst sich \u00fcber das Netzwerk starten. Der Exploit wurde der \u00d6ffentlichkeit bekannt gemacht und k\u00f6nnte verwendet werden."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "Information Disclosure",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Controls",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-26T16:02:07.891Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-325966 | givanz Vvveb Image information disclosure",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.325966"
},
{
"name": "VDB-325966 | CTI Indicators (IOB, IOC, TTP)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.325966"
},
{
"name": "Submit #657185 | givanz Vvveb Vvveb 1.0.7.2 Exposure of Sensitive Information Through Metadata",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.657185"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/KhanMarshaI/9a1a5b72ff7a0a9d180ca77d26814bc7"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-26T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-09-26T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-09-26T10:29:43.000Z",
"value": "VulDB entry last update"
}
],
"title": "givanz Vvveb Image information disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-11028",
"datePublished": "2025-09-26T16:02:07.891Z",
"dateReserved": "2025-09-26T08:24:03.726Z",
"dateUpdated": "2025-09-26T17:51:32.848Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-11027 (GCVE-0-2025-11027)
Vulnerability from cvelistv5 – Published: 2025-09-26 16:02 – Updated: 2025-09-26 17:52
VLAI
Title
givanz Vvveb SVG File cross site scripting
Summary
A vulnerability was identified in givanz Vvveb up to 1.0.7.2. Affected by this issue is some unknown functionality of the component SVG File Handler. Such manipulation leads to cross site scripting. The attack may be launched remotely. The exploit is publicly available and might be used. Once again the project maintainer reacted very professional: "I accept the existence of these vulnerabilities. (...) I fixed the code to remove these vulnerabilities and will push the code to github and make a new release."
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.325965 | vdb-entry |
| https://vuldb.com/?ctiid.325965 | signaturepermissions-required |
| https://vuldb.com/?submit.657184 | third-party-advisory |
| https://gist.github.com/KhanMarshaI/b90045ee82386… | exploit |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11027",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-26T17:35:59.994354Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-26T17:52:26.530Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/KhanMarshaI/b90045ee823866a52f33615776b5a6ec"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"SVG File Handler"
],
"product": "Vvveb",
"vendor": "givanz",
"versions": [
{
"status": "affected",
"version": "1.0.7.0"
},
{
"status": "affected",
"version": "1.0.7.1"
},
{
"status": "affected",
"version": "1.0.7.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "KhanMarshal (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was identified in givanz Vvveb up to 1.0.7.2. Affected by this issue is some unknown functionality of the component SVG File Handler. Such manipulation leads to cross site scripting. The attack may be launched remotely. The exploit is publicly available and might be used. Once again the project maintainer reacted very professional: \"I accept the existence of these vulnerabilities. (...) I fixed the code to remove these vulnerabilities and will push the code to github and make a new release.\""
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in givanz Vvveb up to 1.0.7.2 entdeckt. Dabei betrifft es einen unbekannter Codeteil der Komponente SVG File Handler. Durch die Manipulation mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 2.4,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 2.4,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 3.3,
"vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-26T16:02:05.547Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-325965 | givanz Vvveb SVG File cross site scripting",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.325965"
},
{
"name": "VDB-325965 | CTI Indicators (IOB, IOC, TTP)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.325965"
},
{
"name": "Submit #657184 | givanz Vvveb Vvveb 1.0.7.2 File Upload",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.657184"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/KhanMarshaI/b90045ee823866a52f33615776b5a6ec"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-26T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-09-26T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-09-26T10:29:41.000Z",
"value": "VulDB entry last update"
}
],
"title": "givanz Vvveb SVG File cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-11027",
"datePublished": "2025-09-26T16:02:05.547Z",
"dateReserved": "2025-09-26T08:24:01.501Z",
"dateUpdated": "2025-09-26T17:52:26.530Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-11026 (GCVE-0-2025-11026)
Vulnerability from cvelistv5 – Published: 2025-09-26 15:02 – Updated: 2025-09-26 15:14
VLAI
Title
givanz Vvveb Configuration File information disclosure
Summary
A vulnerability was determined in givanz Vvveb up to 1.0.7.2. Affected by this vulnerability is an unknown functionality of the component Configuration File Handler. This manipulation causes information disclosure. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. Once again the project maintainer reacted very professional: "I accept the existence of these vulnerabilities. (...) I fixed the code to remove these vulnerabilities and will push the code to github and make a new release."
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.325964 | vdb-entry |
| https://vuldb.com/?ctiid.325964 | signaturepermissions-required |
| https://vuldb.com/?submit.657181 | third-party-advisory |
| https://gist.github.com/KhanMarshaI/14b48f974cbda… | exploit |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11026",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-26T15:14:28.009513Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-26T15:14:50.300Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/KhanMarshaI/14b48f974cbdaa3278a81a169e4caae1"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Configuration File Handler"
],
"product": "Vvveb",
"vendor": "givanz",
"versions": [
{
"status": "affected",
"version": "1.0.7.0"
},
{
"status": "affected",
"version": "1.0.7.1"
},
{
"status": "affected",
"version": "1.0.7.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "KhanMarshal (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in givanz Vvveb up to 1.0.7.2. Affected by this vulnerability is an unknown functionality of the component Configuration File Handler. This manipulation causes information disclosure. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. Once again the project maintainer reacted very professional: \"I accept the existence of these vulnerabilities. (...) I fixed the code to remove these vulnerabilities and will push the code to github and make a new release.\""
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in givanz Vvveb up to 1.0.7.2 gefunden. Dies betrifft einen unbekannten Teil der Komponente Configuration File Handler. Mit der Manipulation mit unbekannten Daten kann eine information disclosure-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Die Ausnutzung wurde ver\u00f6ffentlicht und kann verwendet werden."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:X/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:X/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "Information Disclosure",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Controls",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-26T15:02:06.153Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-325964 | givanz Vvveb Configuration File information disclosure",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.325964"
},
{
"name": "VDB-325964 | CTI Indicators (IOB, IOC, TTP)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.325964"
},
{
"name": "Submit #657181 | givanz Vvveb Vvveb 1.0.7.2 Information Disclosure",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.657181"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/KhanMarshaI/14b48f974cbdaa3278a81a169e4caae1"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-26T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-09-26T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-09-26T10:29:40.000Z",
"value": "VulDB entry last update"
}
],
"title": "givanz Vvveb Configuration File information disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-11026",
"datePublished": "2025-09-26T15:02:06.153Z",
"dateReserved": "2025-09-26T08:23:52.860Z",
"dateUpdated": "2025-09-26T15:14:50.300Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-9728 (GCVE-0-2025-9728)
Vulnerability from cvelistv5 – Published: 2025-08-31 12:02 – Updated: 2025-09-02 15:15 X_Open Source
VLAI
Title
givanz Vvveb login.tpl cross site scripting
Summary
A security vulnerability has been detected in givanz Vvveb 1.0.7.2. This affects an unknown part of the file app/template/user/login.tpl. Such manipulation of the argument Email/Password leads to cross site scripting. The attack can be executed remotely. The name of the patch is bbd4c42c66ab818142240348173a669d1d2537fe. Applying a patch is advised to resolve this issue.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.322017 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.322017 | signaturepermissions-required |
| https://vuldb.com/?submit.639704 | third-party-advisory |
| https://github.com/kwerty138/Reflected-XSS-in-Vvv… | related |
| https://github.com/givanz/Vvveb/issues/323 | issue-tracking |
| https://github.com/givanz/Vvveb/commit/bbd4c42c66… | patch |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9728",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-02T14:42:01.145201Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-02T15:15:24.278Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/kwerty138/Reflected-XSS-in-Vvveb-CMS-v1.0.7.2"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/givanz/Vvveb/issues/323"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Vvveb",
"vendor": "givanz",
"versions": [
{
"status": "affected",
"version": "1.0.7.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "andyp138 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in givanz Vvveb 1.0.7.2. This affects an unknown part of the file app/template/user/login.tpl. Such manipulation of the argument Email/Password leads to cross site scripting. The attack can be executed remotely. The name of the patch is bbd4c42c66ab818142240348173a669d1d2537fe. Applying a patch is advised to resolve this issue."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in givanz Vvveb 1.0.7.2 entdeckt. Betroffen ist eine unbekannte Funktion der Datei app/template/user/login.tpl. Durch die Manipulation des Arguments Email/Password mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Ein Angriff ist aus der Distanz m\u00f6glich. Der Patch tr\u00e4gt den Namen bbd4c42c66ab818142240348173a669d1d2537fe. Es wird geraten, einen Patch zu installieren, um dieses Problem zu l\u00f6sen."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:X/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:X/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:ND/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-31T12:02:07.167Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-322017 | givanz Vvveb login.tpl cross site scripting",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.322017"
},
{
"name": "VDB-322017 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.322017"
},
{
"name": "Submit #639704 | givanz Vvveb 1.0.7.2 Cross Site Scripting",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.639704"
},
{
"tags": [
"related"
],
"url": "https://github.com/kwerty138/Reflected-XSS-in-Vvveb-CMS-v1.0.7.2"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/givanz/Vvveb/issues/323"
},
{
"tags": [
"patch"
],
"url": "https://github.com/givanz/Vvveb/commit/bbd4c42c66ab818142240348173a669d1d2537fe"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2025-08-30T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-08-30T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-08-30T15:52:31.000Z",
"value": "VulDB entry last update"
}
],
"title": "givanz Vvveb login.tpl cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-9728",
"datePublished": "2025-08-31T12:02:07.167Z",
"dateReserved": "2025-08-30T13:47:19.730Z",
"dateUpdated": "2025-09-02T15:15:24.278Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}