Description
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, there is an unauthenticated reflected cross-site scripting (XSS) issue in the public product return form in Vvveb CMS. The customer_order_id POST parameter is inserted into the Order %s not found! error message when the order lookup fails, and that message is rendered in the frontend template without HTML escaping. As a result, attacker-controlled HTML/JavaScript executes in the submitting user's browser. This vulnerability is fixed in 1.0.8.3.
Published: 2026-05-15
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Vvveb CMS contains an unauthenticated reflected cross‑site scripting vulnerability in the public product return form. When the customer_order_id POST parameter cannot be matched to a valid order, the value is inserted into an error message that is rendered without HTML escaping. The flaw allows an attacker to embed arbitrary HTML or JavaScript that executes in the browsers of any user who submits the form, potentially hijacking sessions or defacing content. The weakness corresponds to CWE‑79, which focuses on improper neutralization of reflected user input.

Affected Systems

The issue affects the Vvveb CMS developed by Givanz. Versions earlier than 1.0.8.3 are vulnerable. The vulnerability is present in the public product return page and the related backend error handling.

Risk and Exploitability

The CVSS score is 5.3, indicating a moderate severity. Because the vulnerability is unauthenticated and reflected, any website visitor can be tricked into sending a malicious form submission, meaning the attack vector is client‑side from the frontend. The EPSS score is not available and the CVE is not listed in the CISA KEV catalog, so the likelihood of widespread exploitation is uncertain, but the ability to run arbitrary script on users’ browsers remains a tangible risk.

Generated by OpenCVE AI on May 15, 2026 at 20:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Vvveb CMS to version 1.0.8.3 or later, which removes the vulnerable code.
  • If an upgrade cannot be performed immediately, block or disable the public product return endpoint or filter the customer_order_id parameter to reject potentially malicious input.
  • Ensure that any error messages rendered in the frontend are properly encoded or escaped to prevent reflected input injection.

Generated by OpenCVE AI on May 15, 2026 at 20:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Givanz
Givanz vvveb
Vendors & Products Givanz
Givanz vvveb

Fri, 15 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, there is an unauthenticated reflected cross-site scripting (XSS) issue in the public product return form in Vvveb CMS. The customer_order_id POST parameter is inserted into the Order %s not found! error message when the order lookup fails, and that message is rendered in the frontend template without HTML escaping. As a result, attacker-controlled HTML/JavaScript executes in the submitting user's browser. This vulnerability is fixed in 1.0.8.3.
Title Vvveb: Unauthenticated reflected XSS in public product return form via customer_order_id
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Givanz Vvveb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T22:21:56.168Z

Reserved: 2026-05-12T20:31:43.449Z

Link: CVE-2026-45622

cve-icon Vulnrichment

Updated: 2026-05-15T22:13:45.254Z

cve-icon NVD

Status : Received

Published: 2026-05-15T19:17:02.023

Modified: 2026-05-15T23:16:21.577

Link: CVE-2026-45622

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T20:45:08Z

Weaknesses