CVE-2026-41929

MEDIUM 6.1

Vvveb < 1.0.8.2 Unauthenticated Reflected XSS via Visual Editor

CVSS Score

6.1

EPSS Score

0.0%

EPSS Percentile

0th

Vvveb before 1.0.8.2 contains an unauthenticated reflected cross-site scripting vulnerability in the visual editor preview renderer that allows attackers to execute arbitrary JavaScript by manipulating the r query parameter and _component_ajax POST parameter. Attackers can craft a malicious link or auto-submitted form that causes victims to execute attacker-controlled JavaScript in the context of the Vvveb origin, as the gating function isEditor() performs no session, role, or token verification and the view handler injects raw HTML POST body content without sanitization.

CWE	CWE-79
Vendor	givanz
Product	vvveb
Published	May 7, 2026

Stay Ahead of the Next One

Get instant alerts for givanz vvveb

Be the first to know when new medium vulnerabilities affecting givanz vvveb are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

givanz / Vvveb

0 < 1.0.8.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/givanz/Vvveb/releases/tag/1.0.8.2 github.com: https://github.com/givanz/Vvveb/security/advisories/GHSA-wwmv-4g9g-p48g github.com: https://github.com/givanz/Vvveb/commit/54a9e846fb94192f1b31ae81d81d25c874662e6a vulncheck.com: https://www.vulncheck.com/advisories/vvveb-unauthenticated-reflected-xss-via-visual-editor

Credits

Basant Kumar (@CyberWarrior9) Hamed Kohi (@0xHamy) VulnCheck