Which versions of Vvveb CMS are affected by EUVD-2026-30582?

Vvveb CMS versions prior to 1.0.8.3 contain a SQL injection vulnerability in the order history functionality that allows authenticated users to execute arbitrary database queries, potentially…. A patch is available.

Vvveb CMS EUVD-2026-30582

Q: What is the CVSS score of EUVD-2026-30582?

EUVD-2026-30582 has a CVSS 4.0 base score of 8.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2026-45800 HIGH

SQL Injection (CWE-89)

2026-05-15 GitHub_M

SQLi

8.7

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Patch available

May 15, 2026 - 20:02 EUVD

Analysis Generated

May 15, 2026 - 19:32 vuln.today

CVSS changed

May 15, 2026 - 19:22 NVD

8.7 (HIGH)

DescriptionNVD

Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, there is an authenticated SQL injection issue in the frontend user order history page in Vvveb CMS. A normal frontend user can log in and access /user/orders. The order_by and direction request parameters are accepted from the URL, propagated through the Orders component, and directly concatenated into the SQL ORDER BY clause in OrderSQL::getAll(). Because of this, attacker-controlled input reaches SQL structure without a whitelist or safe query construction step. This vulnerability is fixed in 1.0.8.3.

AnalysisAI

SQL injection in Vvveb CMS versions before 1.0.8.3 allows authenticated frontend users to execute arbitrary SQL queries through the order history page. The vulnerability exists in the /user/orders endpoint where order_by and direction parameters are directly concatenated into SQL queries without sanitization, enabling database compromise with low-privileged user credentials. …

RemediationAI

Within 24 hours: inventory all Vvveb CMS deployments and document current version numbers; verify which instances run versions before 1.0.8.3. Within 7 days: apply vendor-released patch to Vvveb CMS version 1.0.8.3 or later across all production and non-production environments; test functionality on order history and reporting features post-deployment. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-30582 vulnerability details – vuln.today

Back

Vvveb CMS EUVD-2026-30582

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

Vvveb CMS EUVD-2026-30582

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code