Description
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.2, Vvveb CMS does not validate the sign of the quantity parameter on the cart-add endpoint. Submitting a negative integer is accepted by the server and treated as a normal positive line-item, but with the sign carried through into every downstream computation: line total, sub-total, taxes, and grand total all become negative numbers. The customer-facing cart UI then displays a negative grand total to the user, the checkout flow accepts the negative cart, and the resulting order is persisted in the merchant's database with a negative total column. From the merchant's order management dashboard, this surfaces as a real order with a negative total — an "the merchant owes the customer money" record that no legitimate workflow ever creates. This vulnerability is fixed in 1.0.8.2.
Published: 2026-05-15
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Vvveb CMS fails to validate the sign of the quantity parameter submitted to its cart-add endpoint. A negative integer is interpreted as a normal line item yet the sign propagates into all subsequent calculations. The line total, sub‑total, taxes and grand total become negative, causing the customer‑facing UI to display a negative grand total and allowing the checkout flow to accept the cart. As a result, an order is persisted in the merchant's database with a negative total, producing a record that indicates the merchant owes money to the customer—a condition that cannot arise through any legitimate workflow.

Affected Systems

Vvveb CMS, developed by givanz, is affected in all releases before version 1.0.8.2. The issue is present in any instance of the cart‑add endpoint that accepts the quantity parameter without sign validation.

Risk and Exploitability

The CVSS score of 7.5 reflects a high impact level, though no EPSS score is available and the vulnerability is not listed in CISA KEV. Attackers can exploit this flaw simply by crafting a malicious HTTP request with a negative quantity to the cart‑add endpoint, a capability available to anyone who can reach the target website. Successful exploitation leads to a financial loss for the merchant and potential confusion or fraud.

Generated by OpenCVE AI on May 15, 2026 at 20:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vvveb CMS to version 1.0.8.2 or later, where the sign validation has been added.
  • Implement server‑side validation to allow only positive integers for the quantity field if the upgrade cannot be performed immediately.
  • Continuously monitor order logs for negative total values as an early detection measure until the patch is applied.

Generated by OpenCVE AI on May 15, 2026 at 20:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Givanz
Givanz vvveb
Vendors & Products Givanz
Givanz vvveb

Fri, 15 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.2, Vvveb CMS does not validate the sign of the quantity parameter on the cart-add endpoint. Submitting a negative integer is accepted by the server and treated as a normal positive line-item, but with the sign carried through into every downstream computation: line total, sub-total, taxes, and grand total all become negative numbers. The customer-facing cart UI then displays a negative grand total to the user, the checkout flow accepts the negative cart, and the resulting order is persisted in the merchant's database with a negative total column. From the merchant's order management dashboard, this surfaces as a real order with a negative total — an "the merchant owes the customer money" record that no legitimate workflow ever creates. This vulnerability is fixed in 1.0.8.2.
Title Vvveb: Vvveb CMS — Negative-quantity cart manipulation allows creation of orders with negative grand totals
Weaknesses CWE-1284
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Givanz Vvveb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T21:11:41.143Z

Reserved: 2026-05-07T21:21:48.351Z

Link: CVE-2026-44826

cve-icon Vulnrichment

Updated: 2026-05-15T21:11:29.733Z

cve-icon NVD

Status : Received

Published: 2026-05-15T19:17:00.913

Modified: 2026-05-15T22:16:53.610

Link: CVE-2026-44826

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T21:00:08Z

Weaknesses