Description
A weakness has been identified in givanz Vvvebjs up to 2.0.5. The affected element is an unknown function of the file upload.php of the component File Upload Endpoint. This manipulation of the argument uploadAllowExtensions causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. Patch name: 8cac22cff99b8bc701c408aa8e887fa702755336. Applying a patch is the recommended action to fix this issue. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Published: 2026-04-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting in file upload endpoint
Action: Apply Patch
AI Analysis

Impact

An unknown function in Vvvebjs’s upload.php file is vulnerable to manipulation of the uploadAllowExtensions argument, allowing arbitrary cross‑site scripting payloads to be executed in the victim’s browser. This client‑side code injection can lead to session hijacking, data theft, or defacement if unsuspecting users visit the affected page. It is classified as CWE‑79 and potentially CWE‑94 due to code execution paths.

Affected Systems

The vulnerability affects the givanz Vvvebjs product, version 2.0.5 and earlier. Versions later than 2.0.5 are not listed as vulnerable, suggesting they have been patched. The product is an open‑source website CMS written in PHP and JavaScript, with the vulnerable component being the File Upload Endpoint.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate risk, and the attack vector is remote via HTTP requests to the upload.php endpoint. A publicly available exploit exists, increasing the likelihood of exploitation before a patch is deployed. The KEV status is not listed, but the quick release of the patch demonstrates vendor responsiveness. The likely attack path is through crafting a request that manipulates the uploadAllowExtensions parameter to inject malicious script code.

Generated by OpenCVE AI on April 6, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch identified by commit hash 8cac22cff99b8bc701c408aa8e887fa702755336
  • Verify that the Vvvebjs product is now running a version newer than 2.0.5
  • Disable or strictly whitelist the uploadAllowExtensions parameter so that only trusted file types are accepted
  • Audit other file upload or input handling endpoints for similar validation weaknesses
  • If the patch cannot be applied immediately, block external access to the upload.php endpoint until the fix is deployed

Generated by OpenCVE AI on April 6, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Givanz
Givanz vvvebjs
Vendors & Products Givanz
Givanz vvvebjs

Mon, 06 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 06 Apr 2026 04:15:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in givanz Vvvebjs up to 2.0.5. The affected element is an unknown function of the file upload.php of the component File Upload Endpoint. This manipulation of the argument uploadAllowExtensions causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. Patch name: 8cac22cff99b8bc701c408aa8e887fa702755336. Applying a patch is the recommended action to fix this issue. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Title givanz Vvvebjs File Upload Endpoint upload.php cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Givanz Vvvebjs
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-06T14:38:39.145Z

Reserved: 2026-04-05T15:32:16.771Z

Link: CVE-2026-5615

cve-icon Vulnrichment

Updated: 2026-04-06T14:38:34.399Z

cve-icon NVD

Status : Deferred

Published: 2026-04-06T04:16:12.930

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-5615

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:47:31Z

Weaknesses