CVE-2025-11027

LOW

Vvveb < 1.0.7.2 - Cross-Site Scripting in SVG File Handler

Title source: llm

Description

A vulnerability was identified in givanz Vvveb up to 1.0.7.2. Affected by this issue is some unknown functionality of the component SVG File Handler. Such manipulation leads to cross site scripting. The attack may be launched remotely. The exploit is publicly available and might be used. Once again the project maintainer reacted very professional: "I accept the existence of these vulnerabilities. (...) I fixed the code to remove these vulnerabilities and will push the code to github and make a new release."

References (4)

Core 4

Core References

Third Party Advisory, VDB Entry vdb-entry

https://vuldb.com/?id.325965

Permissions Required, VDB Entry signature permissions-required

https://vuldb.com/?ctiid.325965

Third Party Advisory, VDB Entry third-party-advisory

https://vuldb.com/?submit.657184

Exploit exploit

https://gist.github.com/KhanMarshaI/b90045ee823866a52f33615776b5a6ec

Scores

CVSS v3 2.4

EPSS 0.0026

EPSS Percentile 17.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79 CWE-94

Status published

Products (1)

vvveb/vvveb < 1.0.7.2

Published Sep 26, 2025

Tracked Since Feb 18, 2026