CVE-2026-34429
MEDIUMVvveb < 1.0.8.1 Stored XSS via Media Upload and Rename
Title source: cnaDescription
Vvveb prior to 1.0.8.1 contains a stored cross-site scripting vulnerability that allows authenticated users with media upload and rename permissions to execute arbitrary JavaScript by bypassing MIME type validation and renaming uploaded files to executable extensions. Attackers can prepend a GIF89a header to HTML/JavaScript payloads to bypass upload validation, rename the file to .html extension, and execute malicious scripts in an administrator's browser session to create backdoor accounts and upload malicious plugins for remote code execution.
References (5)
Core 5
Core References
Exploit technical-description
exploit
https://delta.cyberm.ca/bugbin/ur66bvB7BYTC9y0eCIk3uzhZQgbjzAkG/
Vendor Advisory vendor-advisory
https://github.com/givanz/Vvveb/security/advisories/GHSA-2vc4-49hq-g7f4
Release Notes release-notes
https://github.com/givanz/Vvveb/releases/tag/1.0.8.1
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/vvveb-stored-xss-via-media-upload-and-rename
Scores
CVSS v3
5.4
EPSS
0.0028
EPSS Percentile
19.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
givanz/Vvveb
< 1.0.8.1
givanz/Vvveb
cc997d3359ea5e49a45c132f5dee3bc80fb441d7
Published
Apr 20, 2026
Tracked Since
Apr 20, 2026