Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the backend admin/auth-token endpoint allows an authenticated administrator to load another administrator's REST API token list by supplying that user's admin_id. This can disclose sensitive API tokens belonging to other administrators. This vulnerability is fixed in 1.0.8.3.
AnalysisAI
Authenticated administrators in Vvveb CMS versions before 1.0.8.3 can access REST API tokens of other administrators through the admin/auth-token endpoint by manipulating the admin_id parameter. This authorization bypass allows lateral privilege escalation between admin accounts, potentially compromising all administrative API operations. The vulnerability requires low-privileged authenticated access and has been patched in version 1.0.8.3.
Technical ContextAI
Vvveb is a content management system with page builder capabilities for creating websites and ecommerce stores. The vulnerability resides in the backend admin/auth-token endpoint which fails to properly validate authorization when retrieving API token lists. The flaw is classified as CWE-639 (Authorization Bypass Through User-Controlled Key), where an authenticated user can manipulate the admin_id parameter to access resources belonging to other users. The affected CPE identifier is cpe:2.3:a:givanz:vvveb:*:*:*:*:*:*:*:*, indicating all versions prior to the fixed release are vulnerable.
RemediationAI
Vendor-released patch: upgrade to Vvveb CMS version 1.0.8.3 or later, which contains the fix for this authorization bypass. The patch is available through the project's GitHub repository as referenced in advisory GHSA-5g3g-x6mf-pwr6. As an interim mitigation, restrict administrative access to trusted users only and monitor admin/auth-token endpoint access logs for suspicious cross-admin token retrieval attempts. Consider implementing additional authentication factors for administrative accounts to reduce risk from compromised low-privilege admin credentials.
An issue in vvveb CMS v.1.0.6 allows a remote attacker to execute arbitrary code via the Plugin mechanism. Rated critica
A security flaw has been discovered in givanz Vvveb up to 1.0.7.2. Rated medium severity (CVSS 5.5), this vulnerability
A security vulnerability has been detected in givanz Vvveb 1.0.7.2. Rated medium severity (CVSS 5.3), this vulnerability
Remote code execution in Vvveb CMS versions prior to 1.0.8.1 allows unauthenticated attackers to inject arbitrary PHP co
Stored cross-site scripting in Vvveb prior to 1.0.8.1 allows authenticated users with media upload and rename permission
Privilege escalation in Vvveb CMS versions prior to 1.0.8.1 allows authenticated low-privileged users to inject role_id=
SQL injection in Vvveb CMS versions before 1.0.8.3 allows authenticated frontend users to execute arbitrary SQL queries
Remote code execution in Vvveb CMS versions before 1.0.8.2 enables low-privilege authenticated users (editor, author, co
Server-Side Request Forgery in Vvveb CMS versions prior to 1.0.8.1 allows authenticated backend users to read arbitrary
Vvveb CMS versions before 1.0.8.3 allow authenticated users to hijack other users' shopping carts during checkout. The c
Negative quantity manipulation in Vvveb CMS versions before 1.0.8.2 allows unauthenticated remote attackers to create or
Vvveb before 1.0.8.2 exposes the application's secret cron key through an unauthenticated cron controller endpoint, allo
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30585