Description
Vvveb before 1.0.8.2 contains an unauthenticated reflected cross-site scripting vulnerability in the visual editor preview renderer that allows attackers to execute arbitrary JavaScript by manipulating the r query parameter and _component_ajax POST parameter. Attackers can craft a malicious link or auto-submitted form that causes victims to execute attacker-controlled JavaScript in the context of the Vvveb origin, as the gating function isEditor() performs no session, role, or token verification and the view handler injects raw HTML POST body content without sanitization.
Published: 2026-05-07
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Vvveb versions prior to 1.0.8.2 contain a reflected cross‑site scripting flaw in the visual editor preview renderer. An attacker can inject arbitrary JavaScript by manipulating the r query parameter and the _component_ajax POST payload, which the system renders without any session, role, or token checks and without sanitizing the content. The flaw is a classic CWE‑79 problem and allows an unauthenticated user to force a victim’s browser to execute malicious code in the context of the Vvveb website, potentially leading to theft of session cookies, defacement, or further phishing attacks.

Affected Systems

The vulnerability affects the Vvveb content management system from the Givanz vendor. Any installation running a version older than 1.0.8.2 is impacted; versions 1.0.8.2 and later contain the fix.

Risk and Exploitability

The CVSS score of 5.1 places this flaw in the moderate range, and the EPSS score is currently unavailable, indicating no public exploitation data yet. Because the attack vector is unauthenticated and relies on a malicious link or auto‑submitted form, the likelihood of exploitation depends on the presence of vulnerable users and their exposure to external traffic. The flaw is not listed in the CISA KEV catalog, so no known active exploits have been reported. Nonetheless, any web application that exposes the visual editor to unauthenticated users should be treated as a security risk.

Generated by OpenCVE AI on May 7, 2026 at 22:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vvveb to version 1.0.8.2 or later
  • If upgrading is not immediately possible, neutralize the visual editor preview feature or restrict the _component_ajax POST endpoint to authenticated sessions
  • Apply input validation or output escaping to all content rendered by the visual editor when processing POST data

Generated by OpenCVE AI on May 7, 2026 at 22:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Givanz
Givanz vvveb
Vendors & Products Givanz
Givanz vvveb

Thu, 07 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description Vvveb before 1.0.8.2 contains an unauthenticated reflected cross-site scripting vulnerability in the visual editor preview renderer that allows attackers to execute arbitrary JavaScript by manipulating the r query parameter and _component_ajax POST parameter. Attackers can craft a malicious link or auto-submitted form that causes victims to execute attacker-controlled JavaScript in the context of the Vvveb origin, as the gating function isEditor() performs no session, role, or token verification and the view handler injects raw HTML POST body content without sanitization.
Title Vvveb < 1.0.8.2 Unauthenticated Reflected XSS via Visual Editor
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Givanz Vvveb
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-07T21:08:50.762Z

Reserved: 2026-04-22T18:50:43.620Z

Link: CVE-2026-41929

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-07T22:16:35.450

Modified: 2026-05-07T22:16:35.450

Link: CVE-2026-41929

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T22:45:24Z

Weaknesses