Skip to main content

Vvveb CMS CVE-2026-45616

| EUVD-2026-30579 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-15 GitHub_M
XSS Vvveb
5.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

3
Patch available
May 15, 2026 - 20:02 EUVD
Analysis Generated
May 15, 2026 - 19:36 vuln.today
CVSS changed
May 15, 2026 - 19:22 NVD
5.1 (MEDIUM)

DescriptionGitHub Advisory

Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, This vulnerability is fixed in 1.0.8.3.

AnalysisAI

Cross-site scripting (XSS) in Vvveb CMS versions prior to 1.0.8.3 allows authenticated users to inject malicious scripts that execute in victim browsers with user interaction. The CVSS 4.0 vector indicates network-based attack requiring low-privilege authentication and user interaction, with low confidentiality and integrity impact to the subsequent system. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege CMS credentials
Delivery
Create malicious page with XSS payload
Exploit
Store content in Vvveb database
Execution
Admin views poisoned content
Persist
Execute JavaScript in admin session
Impact
Exfiltrate session tokens or perform privileged actions
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires authenticated access to Vvveb CMS with content creation or editing permissions (CVSS PR:L) - typically any registered user role with page or post editing capabilities. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is moderate despite the medium CVSS score of 5.1. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated attacker with low-privilege CMS access crafts a malicious page or content element containing JavaScript payload and saves it to the Vvveb database. When an administrator or higher-privileged user views or edits the poisoned content through the CMS interface, the stored script executes in their browser context, enabling session cookie theft or administrative action hijacking. …
Remediation Upgrade Vvveb CMS to version 1.0.8.3 or later immediately, as confirmed by GitHub security advisory GHSA-39gc-pjv5-4w4p at https://github.com/givanz/Vvveb/security/advisories/GHSA-39gc-pjv5-4w4p. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-45616 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy