Home

Description

Vvveb before 1.0.8.2 contains an unauthenticated reflected cross-site scripting vulnerability in the visual editor preview renderer that allows attackers to execute arbitrary JavaScript by manipulating the r query parameter and _component_ajax POST parameter. Attackers can craft a malicious link or auto-submitted form that causes victims to execute attacker-controlled JavaScript in the context of the Vvveb origin, as the gating function isEditor() performs no session, role, or token verification and the view handler injects raw HTML POST body content without sanitization.

PUBLISHED Reserved 2026-04-22 | Published 2026-05-07 | Updated 2026-05-08 | Assigner VulnCheck




MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

MEDIUM: 6.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Problem types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Default status
affected

Any version before 1.0.8.2
affected

Credits

Basant Kumar (@CyberWarrior9) finder

Hamed Kohi (@0xHamy) finder

VulnCheck finder

References

github.com/.../Vvveb/security/advisories/GHSA-wwmv-4g9g-p48g exploit

github.com/givanz/Vvveb/releases/tag/1.0.8.2 release-notes

github.com/.../Vvveb/security/advisories/GHSA-wwmv-4g9g-p48g vendor-advisory

github.com/...ommit/54a9e846fb94192f1b31ae81d81d25c874662e6a patch

www.vulncheck.com/...ticated-reflected-xss-via-visual-editor third-party-advisory

cve.org (CVE-2026-41929)

nvd.nist.gov (CVE-2026-41929)

Download JSON