CVE-2026-44366 - Vulnerability Details

- Vvveb: Stored XSS via Comment Author Field

Description

Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.1, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Vvveb CMS comment submission flow. The author field is submitted by an unauthenticated user on any public post page, stored without sanitization, and later rendered unsanitized in two distinct sinks: This vulnerability is fixed in 1.0.8.1.

Published: 2026-05-15

Score: 6.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Vvveb CMS prior to version 1.0.8.1 stores the content of the comment author field without any sanitization. When a user submits a comment on a public post, the value of the author field is persisted and later rendered unchecked in two separate output locations. This behavior enables a stored Cross‑Site Scripting (XSS) vulnerability that can execute arbitrary client‑side scripts in the context of any visitor to the affected page, potentially leading to session hijacking, defacement, or the execution of malicious code.

Affected Systems

All installations of the Vvveb content management system running a release older than 1.0.8.1 are vulnerable. The flaw manifests on any public post page that accepts unauthenticated comments, and it does not require privileged access to exploit.

Risk and Exploitability

The CVSS score of 6.1 indicates medium severity. EPSS is not available, and the vulnerability is not listed in CISA’s KEV catalog, implying that no publicly known exploits have been observed. An attacker can trigger the issue simply by posting a crafted author string via the comment form; no additional setup or privileged credentials are required. Once the malicious comment is stored, it will be executed for all users who view the content, making containment difficult until the patched version is deployed or mitigated.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

givanz

Vvveb

affected

Version	Status	Constraints
`< 1.0.8.1`	affected	—

No data.

Vendor Product Confidence Versions

Givanz

Vvveb

100%

Version	Status	Scheme	Platform
`[0,1.0.8.1)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Vvveb CMS to version 1.0.8.1 or later, which removes the unsanitized handling of the comment author field.
If an immediate upgrade is not possible, disable the comment functionality on public posts or restrict comment submission to authenticated users only.
If comments must remain operational, implement server‑side sanitization or output encoding for the author field to strip or escape potentially malicious script tags before rendering.

Generated by OpenCVE AI on May 15, 2026 at 20:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/givanz/Vvveb/security/advisories/GHSA-gpmg-pcxr-9wvf

History

Sat, 16 May 2026 02:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 15 May 2026 20:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Givanz Givanz vvveb
Vendors & Products		Givanz Givanz vvveb

Fri, 15 May 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.1, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Vvveb CMS comment submission flow. The author field is submitted by an unauthenticated user on any public post page, stored without sanitization, and later rendered unsanitized in two distinct sinks: This vulnerability is fixed in 1.0.8.1.
Title		Vvveb: Stored XSS via Comment Author Field
Weaknesses		CWE-79
References		https://github.com/givanz/Vvveb/security/advisories/GHSA-gpmg-pcxr-9wvf
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}`

Subscriptions

Givanz Vvveb

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-15T18:33:17.691Z

Updated: 2026-05-16T01:15:00.615Z

Reserved: 2026-05-05T20:15:20.631Z

Link: CVE-2026-44366

Vulnrichment

Updated: 2026-05-16T01:14:53.810Z

NVD

Status : Received

Published: 2026-05-15T19:16:59.340

Modified: 2026-05-16T02:16:14.890

Link: CVE-2026-44366

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-15T20:30:06Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object