CVE-2026-41929
MEDIUMVvveb < 1.0.8.2 Unauthenticated Reflected XSS via Visual Editor
Title source: cnaDescription
Vvveb before 1.0.8.2 contains an unauthenticated reflected cross-site scripting vulnerability in the visual editor preview renderer that allows attackers to execute arbitrary JavaScript by manipulating the r query parameter and _component_ajax POST parameter. Attackers can craft a malicious link or auto-submitted form that causes victims to execute attacker-controlled JavaScript in the context of the Vvveb origin, as the gating function isEditor() performs no session, role, or token verification and the view handler injects raw HTML POST body content without sanitization.
References (4)
Core 4
Core References
Release Notes release-notes
https://github.com/givanz/Vvveb/releases/tag/1.0.8.2
Vendor Advisory vendor-advisory
https://github.com/givanz/Vvveb/security/advisories/GHSA-wwmv-4g9g-p48g
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/vvveb-unauthenticated-reflected-xss-via-visual-editor
Scores
CVSS v3
6.1
EPSS
0.0020
EPSS Percentile
9.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
givanz/Vvveb
< 1.0.8.2
Published
May 07, 2026
Tracked Since
May 08, 2026