Description
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, there is an authenticated SQL injection issue in the frontend user order history page in Vvveb CMS. A normal frontend user can log in and access /user/orders. The order_by and direction request parameters are accepted from the URL, propagated through the Orders component, and directly concatenated into the SQL ORDER BY clause in OrderSQL::getAll(). Because of this, attacker-controlled input reaches SQL structure without a whitelist or safe query construction step. This vulnerability is fixed in 1.0.8.3.
Published: 2026-05-15
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw allows a logged‑in user to inject arbitrary SQL into the ORDER BY clause of the user order history page. Because the order_by and direction parameters are concatenated directly into the query without validation, an attacker can read or manipulate database contents, leading to data exposure or integrity issues. The vulnerability is only exploitable by authenticated users, but once authenticated, any user of the site can trigger the injection.

Affected Systems

The issue exists in the Vvveb CMS delivered by givanz, affecting all installations running a version older than 1.0.8.3. No other product variants or vendor versions were identified.

Risk and Exploitability

With a CVSS score of 8.7, the vulnerability is considered high severity. The exploit requires web access and an authenticated session, so it is not trivial for an external attacker but could be leveraged by any user with login credentials. EPSS data is not available, and the flaw is not yet listed in the CISA KEV catalogue, but the confirmed attack path indicates a direct injection risk. Systems should patch promptly.

Generated by OpenCVE AI on May 15, 2026 at 20:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vvveb to version 1.0.8.3 or later to eliminate the vulnerability.
  • If an upgrade cannot be performed immediately, enforce a whitelist on the order_by and direction query parameters, allowing only known column names and sort directions.
  • Modify the Orders component to use parameterized queries or other safe query construction techniques so that user input cannot be concatenated directly into SQL statements.

Generated by OpenCVE AI on May 15, 2026 at 20:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 16 May 2026 02:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 15 May 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Givanz
Givanz vvveb
Vendors & Products Givanz
Givanz vvveb

Fri, 15 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, there is an authenticated SQL injection issue in the frontend user order history page in Vvveb CMS. A normal frontend user can log in and access /user/orders. The order_by and direction request parameters are accepted from the URL, propagated through the Orders component, and directly concatenated into the SQL ORDER BY clause in OrderSQL::getAll(). Because of this, attacker-controlled input reaches SQL structure without a whitelist or safe query construction step. This vulnerability is fixed in 1.0.8.3.
Title Vvveb: Authenticated SQL injection in /user/orders via order_by and direction
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Givanz Vvveb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-16T01:21:02.433Z

Reserved: 2026-05-13T08:19:32.603Z

Link: CVE-2026-45800

cve-icon Vulnrichment

Updated: 2026-05-16T01:20:57.284Z

cve-icon NVD

Status : Received

Published: 2026-05-15T19:17:02.247

Modified: 2026-05-16T02:16:15.483

Link: CVE-2026-45800

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T20:45:08Z

Weaknesses