Skip to main content

Vvveb CMS CVE-2026-45800

| EUVDEUVD-2026-30582 HIGH
SQL Injection (CWE-89)
2026-05-15 GitHub_M
8.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
May 15, 2026 - 20:02 EUVD
Analysis Generated
May 15, 2026 - 19:32 vuln.today
CVSS changed
May 15, 2026 - 19:22 NVD
8.7 (HIGH)

DescriptionGitHub Advisory

Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, there is an authenticated SQL injection issue in the frontend user order history page in Vvveb CMS. A normal frontend user can log in and access /user/orders. The order_by and direction request parameters are accepted from the URL, propagated through the Orders component, and directly concatenated into the SQL ORDER BY clause in OrderSQL::getAll(). Because of this, attacker-controlled input reaches SQL structure without a whitelist or safe query construction step. This vulnerability is fixed in 1.0.8.3.

AnalysisAI

SQL injection in Vvveb CMS versions before 1.0.8.3 allows authenticated frontend users to execute arbitrary SQL queries through the order history page. The vulnerability exists in the /user/orders endpoint where order_by and direction parameters are directly concatenated into SQL queries without sanitization, enabling database compromise with low-privileged user credentials. The vendor has released version 1.0.8.3 to address this issue.

Technical ContextAI

The vulnerability affects Vvveb CMS, an open-source content management system with page builder functionality. The issue stems from improper neutralization of special elements in SQL commands (CWE-89) where user-supplied input from URL parameters is directly concatenated into the ORDER BY clause in the OrderSQL::getAll() method. This classic SQL injection pattern occurs when dynamic query construction lacks parameterization or input validation, allowing attackers to modify the intended SQL logic.

RemediationAI

Upgrade to Vvveb CMS version 1.0.8.3 or later, which contains the vendor fix for this SQL injection vulnerability. The patch is available through the official Vvveb GitHub repository as documented in security advisory GHSA-vwcx-w4fq-9769. As an immediate workaround until patching is possible, consider restricting access to the /user/orders endpoint or implementing web application firewall rules to filter potentially malicious order_by and direction parameter values, though this may impact legitimate sorting functionality.

More in Vvveb

View all
CVE-2025-44022 CRITICAL POC
9.8 May 12

An issue in vvveb CMS v.1.0.6 allows a remote attacker to execute arbitrary code via the Plugin mechanism. Rated critica

CVE-2025-11028 MEDIUM POC
5.5 Sep 26

A security flaw has been discovered in givanz Vvveb up to 1.0.7.2. Rated medium severity (CVSS 5.5), this vulnerability

CVE-2025-9728 MEDIUM POC
5.3 Aug 31

A security vulnerability has been detected in givanz Vvveb 1.0.7.2. Rated medium severity (CVSS 5.3), this vulnerability

CVE-2026-39918 CRITICAL
9.2 Apr 20

Remote code execution in Vvveb CMS versions prior to 1.0.8.1 allows unauthenticated attackers to inject arbitrary PHP co

CVE-2026-34429 MEDIUM POC
5.1 Apr 20

Stored cross-site scripting in Vvveb prior to 1.0.8.1 allows authenticated users with media upload and rename permission

CVE-2026-34427 HIGH
8.7 Apr 20

Privilege escalation in Vvveb CMS versions prior to 1.0.8.1 allows authenticated low-privileged users to inject role_id=

CVE-2026-41934 HIGH
8.7 May 06

Remote code execution in Vvveb CMS versions before 1.0.8.2 enables low-privilege authenticated users (editor, author, co

CVE-2026-34428 HIGH
8.3 Apr 20

Server-Side Request Forgery in Vvveb CMS versions prior to 1.0.8.1 allows authenticated backend users to read arbitrary

CVE-2026-46407 HIGH
8.1 May 15

Authenticated administrators in Vvveb CMS versions before 1.0.8.3 can access REST API tokens of other administrators thr

CVE-2026-46408 HIGH
7.6 May 15

Vvveb CMS versions before 1.0.8.3 allow authenticated users to hijack other users' shopping carts during checkout. The c

CVE-2026-44826 HIGH
7.5 May 15

Negative quantity manipulation in Vvveb CMS versions before 1.0.8.2 allows unauthenticated remote attackers to create or

CVE-2026-41928 MEDIUM
6.9 May 07

Vvveb before 1.0.8.2 exposes the application's secret cron key through an unauthenticated cron controller endpoint, allo

Share

CVE-2026-45800 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy