Description
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the checkout endpoint accepts a user-controlled cart_id and uses it to enter the payment flow without verifying cart ownership. A logged-in attacker can therefore reuse another user's cart data in their own checkout session. This vulnerability is fixed in 1.0.8.3.
Published: 2026-05-15
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Vvveb checkout endpoint accepted a cart_id supplied by an attacker without verifying that the cart belonged to the authenticated user. This direct‑access, or IDOR (CWE‑639), allowed a logged‑in attacker to reuse another user’s cart data, potentially completing purchases on behalf of the victim and causing financial loss or fraudulent transactions.

Affected Systems

The vulnerability affects the Vvveb content management system developed by givanz and applies to versions prior to 1.0.8.3, meaning any installation running a version earlier than that release is susceptible.

Risk and Exploitability

With a CVSS score of 7.6 the issue is classified as high severity. Although no EPSS score is available and it is not listed in the CISA KEV catalog, the need for only a logged‑in attacker lowers the barrier of exploitation. An attacker can gain unauthorized control over cart contents, resulting in potential fraud or unauthorized chargebacks.

Generated by OpenCVE AI on May 15, 2026 at 20:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vvveb to version 1.0.8.3 or later to apply the vendor’s fix.
  • Implement a check that verifies cart ownership before proceeding to payment, ensuring that only the cart owner can advance to the checkout stage.
  • Monitor order flows for anomalies such as cart reuse between unrelated user sessions and review any suspicious transactions promptly.

Generated by OpenCVE AI on May 15, 2026 at 20:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Givanz
Givanz vvveb
Vendors & Products Givanz
Givanz vvveb

Fri, 15 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the checkout endpoint accepts a user-controlled cart_id and uses it to enter the payment flow without verifying cart ownership. A logged-in attacker can therefore reuse another user's cart data in their own checkout session. This vulnerability is fixed in 1.0.8.3.
Title Vvveb: checkout IDOR allows unauthorized reuse of another user's cart
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L'}

Subscriptions

Givanz Vvveb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T19:53:13.706Z

Reserved: 2026-05-13T21:04:10.932Z

Link: CVE-2026-46408

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-15T19:17:04.460

Modified: 2026-05-15T20:16:49.503

Link: CVE-2026-46408

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T20:45:08Z

Weaknesses