QwikSec

Security Database

CVE

CWE

Training

CVE-2026-41929

Published: May 7, 2026

Modified: May 8, 2026

PUBLISHED

CVSS v3.1

6.1

MEDIUM

Description

Vvveb before 1.0.8.2 contains an unauthenticated reflected cross-site scripting vulnerability in the visual editor preview renderer that allows attackers to execute arbitrary JavaScript by manipulating the r query parameter and _component_ajax POST parameter. Attackers can craft a malicious link or auto-submitted form that causes victims to execute attacker-controlled JavaScript in the context of the Vvveb origin, as the gating function isEditor() performs no session, role, or token verification and the view handler injects raw HTML POST body content without sanitization.

Vendor	Product	Versions
givanz	Vvveb	affected `0 - < 1.0.8.2`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

References

https://github.com/givanz/Vvveb/releases/tag/1.0.8.2

release-notes

https://github.com/givanz/Vvveb/security/advisories/GHSA-wwmv-4g9g-p48g

vendor-advisory

https://github.com/givanz/Vvveb/commit/54a9e846fb94192f1b31ae81d81d25c874662e6a

patch

https://www.vulncheck.com/advisories/vvveb-unauthenticated-reflected-xss-via-visual-editor

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.