Description
Vvveb before 1.0.8.3 contains a stored cross-site scripting vulnerability in the customer signup flow where the Signup::addUser() controller copies raw POST username values into the display_name field before sanitization occurs. Attackers can submit HTML and script markup in the username field during signup, which gets stripped from the username column but persisted verbatim in the display_name column, allowing stored XSS execution when display_name is rendered without encoding in vulnerable views.
Published: 2026-05-14
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to embed arbitrary HTML and JavaScript in the username field when creating a new user account. The system copies the raw input into the display_name field before any sanitization, storing the malicious payload verbatim. When a view renders that display_name without encoding, the script runs in the victim’s browser, allowing execution of arbitrary client‑side code. The CVSS score of 5.3 indicates a medium severity risk to confidentiality and integrity for any user who views the affected page.

Affected Systems

The affected product is Vvveb, a content management system by givanz. Any installation running a version earlier than 1.0.8.3 is vulnerable. The vulnerability is present in the signup flow of all pre‑1.0.8.3 releases.

Risk and Exploitability

Because the flaw is in the public signup route, an attacker can trigger it simply by creating an account with a crafted username; no prior authentication is required. The stored payload then persists until the display_name is rendered, making exploitation straightforward if a user views the profile or any page that displays that field. The EPSS score is not available, and the issue is not listed in CISA KEV, but the medium CVSS score and the ease of exploitation suggest that it should be treated with a high level of caution.

Generated by OpenCVE AI on May 14, 2026 at 17:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Vvveb 1.0.8.3 or later, which removes the unsanitized copy to display_name.
  • If an immediate upgrade is not possible, apply a workaround by sanitizing or HTML‑encoding the display_name field before rendering it in any template.
  • Monitor the user database for accounts with suspicious display_name values and set up alerts for potential malicious content.

Generated by OpenCVE AI on May 14, 2026 at 17:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Givanz
Givanz vvveb
Vendors & Products Givanz
Givanz vvveb

Thu, 14 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description Vvveb before 1.0.8.3 contains a stored cross-site scripting vulnerability in the customer signup flow where the Signup::addUser() controller copies raw POST username values into the display_name field before sanitization occurs. Attackers can submit HTML and script markup in the username field during signup, which gets stripped from the username column but persisted verbatim in the display_name column, allowing stored XSS execution when display_name is rendered without encoding in vulnerable views.
Title Vvveb < 1.0.8.3 Stored XSS via Signup Controller
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Givanz Vvveb
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-14T15:58:50.959Z

Reserved: 2026-04-22T18:50:43.620Z

Link: CVE-2026-41932

cve-icon Vulnrichment

Updated: 2026-05-14T15:33:47.223Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T15:16:45.730

Modified: 2026-05-14T16:24:56.240

Link: CVE-2026-41932

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T17:30:15Z

Weaknesses