What is the CVSS score of CVE-2026-46407?

CVE-2026-46407 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Vvveb CMS are affected by CVE-2026-46407?

Vvveb CMS versions before 1.0.8.3 contain an authorization bypass that allows authenticated administrators to retrieve API tokens of other administrators, enabling lateral privilege escalation across…. A patch is available.

Vvveb CMS CVE-2026-46407

EUVD-2026-30585 HIGH

Authorization Bypass Through User-Controlled Key (CWE-639)

2026-05-15 GitHub_M

Authentication Bypass

8.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Patch available

May 15, 2026 - 20:02 EUVD

Analysis Generated

May 15, 2026 - 19:32 vuln.today

DescriptionNVD

Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the backend admin/auth-token endpoint allows an authenticated administrator to load another administrator's REST API token list by supplying that user's admin_id. This can disclose sensitive API tokens belonging to other administrators. This vulnerability is fixed in 1.0.8.3.

AnalysisAI

Authenticated administrators in Vvveb CMS versions before 1.0.8.3 can access REST API tokens of other administrators through the admin/auth-token endpoint by manipulating the admin_id parameter. This authorization bypass allows lateral privilege escalation between admin accounts, potentially compromising all administrative API operations. …

RemediationAI

Within 24 hours: Inventory all Vvveb CMS deployments and confirm versions below 1.0.8.3. Within 7 days: Upgrade all affected instances to Vvveb CMS version 1.0.8.3 or later; if immediate patching is impossible, revoke and regenerate all admin API tokens as interim mitigation. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-46407 vulnerability details – vuln.today

Back