CVE-2026-34429

MEDIUM 5.4

Vvveb < 1.0.8.1 Stored XSS via Media Upload and Rename

CVSS Score

5.4

EPSS Score

0.0%

EPSS Percentile

0th

Vvveb prior to 1.0.8.1 contains a stored cross-site scripting vulnerability that allows authenticated users with media upload and rename permissions to execute arbitrary JavaScript by bypassing MIME type validation and renaming uploaded files to executable extensions. Attackers can prepend a GIF89a header to HTML/JavaScript payloads to bypass upload validation, rename the file to .html extension, and execute malicious scripts in an administrator's browser session to create backdoor accounts and upload malicious plugins for remote code execution.

CWE	CWE-79
Vendor	givanz
Product	vvveb
Published	Apr 20, 2026
Last Updated	Apr 20, 2026

Stay Ahead of the Next One

Get instant alerts for givanz vvveb

Be the first to know when new medium vulnerabilities affecting givanz vvveb are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

givanz / Vvveb

0 < 1.0.8.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

delta.cyberm.ca: https://delta.cyberm.ca/bugbin/ur66bvB7BYTC9y0eCIk3uzhZQgbjzAkG/ github.com: https://github.com/givanz/Vvveb/releases/tag/1.0.8.1 github.com: https://github.com/givanz/Vvveb/commit/cc997d3359ea5e49a45c132f5dee3bc80fb441d7 vulncheck.com: https://www.vulncheck.com/advisories/vvveb-stored-xss-via-media-upload-and-rename

Credits

Hamed Kohi VulnCheck