What is the CVSS score of CVE-2026-44826?

CVE-2026-44826 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Vvveb CMS are affected by CVE-2026-44826?

Vvveb CMS versions before 1.0.8.2 contain a critical flaw allowing attackers to manipulate order quantities to negative values, enabling fraudulent transactions where merchants owe money to customers…. A patch is available.

How to fix or mitigate CVE-2026-44826?

Within 24 hours: Identify all Vvveb CMS instances and verify current version numbers; immediately restrict access to cart endpoints via WAF rules if available. Within 7 days: Upgrade all instances to Vvveb CMS version 1.0.8.2 or later; implement input validation blocking negative quantity submissions at the application layer. Within 30 days: Conduct forensic audit of order history for the past 90 days to detect and remediate fraudulent transactions; establish monitoring alerts for quantity values below zero.

Vvveb CMS CVE-2026-44826

EUVD-2026-30580 HIGH

Improper Validation of Specified Quantity in Input (CWE-1284)

2026-05-15 GitHub_M

Information Disclosure Vvveb

7.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Lifecycle Timeline

Patch available

May 15, 2026 - 20:02 EUVD

Analysis Generated

May 15, 2026 - 19:32 vuln.today

DescriptionGitHub Advisory

Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.2, Vvveb CMS does not validate the sign of the quantity parameter on the cart-add endpoint. Submitting a negative integer is accepted by the server and treated as a normal positive line-item, but with the sign carried through into every downstream computation: line total, sub-total, taxes, and grand total all become negative numbers. The customer-facing cart UI then displays a negative grand total to the user, the checkout flow accepts the negative cart, and the resulting order is persisted in the merchant's database with a negative total column. From the merchant's order management dashboard, this surfaces as a real order with a negative total - an "the merchant owes the customer money" record that no legitimate workflow ever creates. This vulnerability is fixed in 1.0.8.2.

AnalysisAI

Negative quantity manipulation in Vvveb CMS versions before 1.0.8.2 allows unauthenticated remote attackers to create orders with negative totals, potentially defrauding merchants. The cart-add endpoint accepts negative quantity values that propagate through the entire order flow, creating legitimate-looking orders where the merchant appears to owe money to the customer. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Send cart-add request with negative quantity

Exploit

Server accepts and processes negative value

Execution

Negative total propagates through order

Impact

Fraudulent order created with merchant debt

Access

Send cart-add request with negative quantity

Exploit

Server accepts and processes negative value

Execution

Negative total propagates through order

Impact

Fraudulent order created with merchant debt

Vulnerability AssessmentAI

Exploitation	No special conditions - remote unauthenticated exploitation against default configurations of Vvveb CMS ecommerce stores. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 score of 7.5 (High) reflects network-based, unauthenticated exploitation with no user interaction required, focused on integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker sends a POST request to the cart-add endpoint with a negative quantity value (e.g., -100) for a high-value product. The system calculates a negative line total, resulting in a cart with a large negative grand total that appears as merchant debt to the customer, which could be exploited to request fraudulent refunds.
Remediation	Upgrade Vvveb CMS to version 1.0.8.2 or later, which includes the fix for this vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Vvveb CMS instances and verify current version numbers; immediately restrict access to cart endpoints via WAF rules if available. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-44826 vulnerability details – vuln.today

Back

Vvveb CMS CVE-2026-44826

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code