Skip to main content

Vvveb CMS CVE-2026-46407

| EUVDEUVD-2026-30585 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-15 GitHub_M
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Patch available
May 15, 2026 - 20:02 EUVD
Analysis Generated
May 15, 2026 - 19:32 vuln.today

DescriptionGitHub Advisory

Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the backend admin/auth-token endpoint allows an authenticated administrator to load another administrator's REST API token list by supplying that user's admin_id. This can disclose sensitive API tokens belonging to other administrators. This vulnerability is fixed in 1.0.8.3.

AnalysisAI

Authenticated administrators in Vvveb CMS versions before 1.0.8.3 can access REST API tokens of other administrators through the admin/auth-token endpoint by manipulating the admin_id parameter. This authorization bypass allows lateral privilege escalation between admin accounts, potentially compromising all administrative API operations. The vulnerability requires low-privileged authenticated access and has been patched in version 1.0.8.3.

Technical ContextAI

Vvveb is a content management system with page builder capabilities for creating websites and ecommerce stores. The vulnerability resides in the backend admin/auth-token endpoint which fails to properly validate authorization when retrieving API token lists. The flaw is classified as CWE-639 (Authorization Bypass Through User-Controlled Key), where an authenticated user can manipulate the admin_id parameter to access resources belonging to other users. The affected CPE identifier is cpe:2.3:a:givanz:vvveb:*:*:*:*:*:*:*:*, indicating all versions prior to the fixed release are vulnerable.

RemediationAI

Vendor-released patch: upgrade to Vvveb CMS version 1.0.8.3 or later, which contains the fix for this authorization bypass. The patch is available through the project's GitHub repository as referenced in advisory GHSA-5g3g-x6mf-pwr6. As an interim mitigation, restrict administrative access to trusted users only and monitor admin/auth-token endpoint access logs for suspicious cross-admin token retrieval attempts. Consider implementing additional authentication factors for administrative accounts to reduce risk from compromised low-privilege admin credentials.

More in Vvveb

View all
CVE-2025-44022 CRITICAL POC
9.8 May 12

An issue in vvveb CMS v.1.0.6 allows a remote attacker to execute arbitrary code via the Plugin mechanism. Rated critica

CVE-2025-11028 MEDIUM POC
5.5 Sep 26

A security flaw has been discovered in givanz Vvveb up to 1.0.7.2. Rated medium severity (CVSS 5.5), this vulnerability

CVE-2025-9728 MEDIUM POC
5.3 Aug 31

A security vulnerability has been detected in givanz Vvveb 1.0.7.2. Rated medium severity (CVSS 5.3), this vulnerability

CVE-2026-39918 CRITICAL
9.2 Apr 20

Remote code execution in Vvveb CMS versions prior to 1.0.8.1 allows unauthenticated attackers to inject arbitrary PHP co

CVE-2026-34429 MEDIUM POC
5.1 Apr 20

Stored cross-site scripting in Vvveb prior to 1.0.8.1 allows authenticated users with media upload and rename permission

CVE-2026-34427 HIGH
8.7 Apr 20

Privilege escalation in Vvveb CMS versions prior to 1.0.8.1 allows authenticated low-privileged users to inject role_id=

CVE-2026-45800 HIGH
8.7 May 15

SQL injection in Vvveb CMS versions before 1.0.8.3 allows authenticated frontend users to execute arbitrary SQL queries

CVE-2026-41934 HIGH
8.7 May 06

Remote code execution in Vvveb CMS versions before 1.0.8.2 enables low-privilege authenticated users (editor, author, co

CVE-2026-34428 HIGH
8.3 Apr 20

Server-Side Request Forgery in Vvveb CMS versions prior to 1.0.8.1 allows authenticated backend users to read arbitrary

CVE-2026-46408 HIGH
7.6 May 15

Vvveb CMS versions before 1.0.8.3 allow authenticated users to hijack other users' shopping carts during checkout. The c

CVE-2026-44826 HIGH
7.5 May 15

Negative quantity manipulation in Vvveb CMS versions before 1.0.8.2 allows unauthenticated remote attackers to create or

CVE-2026-41928 MEDIUM
6.9 May 07

Vvveb before 1.0.8.2 exposes the application's secret cron key through an unauthenticated cron controller endpoint, allo

Share

CVE-2026-46407 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy