Vvveb versions prior to 1.0.8.1 contain a stored cross‑site scripting flaw that allows authenticated users with media upload and rename rights to inject arbitrary JavaScript. By appending a GIF89a header to an HTML/JavaScript payload and then renaming the file to a .html extension, the attacker can execute malicious code in the browser of any administrator who later opens the file. The injected script can create backdoor accounts and upload malicious plugins, ultimately enabling remote code execution. The weakness is a classic CWE‑79 stored XSS.

The vulnerability affects the Vvveb content‑management system, specifically any installation running a version earlier than 1.0.8.1. Only users who are authenticated and have permissions to upload and rename media files are able to exploit the flaw; administrators applying the fix should upgrade to the released 1.0.8.1 or later, which removes the MIME type bypass and filename‑change loophole.

The CVSS score of 5.1 reflects moderate severity, but the lack of an EPSS score means there is currently no publicly available data on exploitation probability. The flaw is not listed in the CISA KEV catalog. Because exploitable only by authenticated users with specific file‑handling permissions, the risk depends on the strength of access controls and user credentials. However, once a file is executed, the attacker can gain a fresh administrative account and upload code that can run on the server, effectively providing a backdoor for remote code execution. Consequently, organizations that host Vvveb sites should treat this as a high‑risk vulnerability if their CMS is exposed to untrusted users or has weak authentication mechanisms.