CVE-2026-5615

MEDIUM NUCLEI

givanz Vvvebjs File Upload Endpoint upload.php cross site scripting

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-5615. PoCs published by sahmsec. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional Python exploit for CVE-2026-5615, a Stored Cross-Site Scripting (RXSS) vulnerability in VvvebJs <= v2.0.5. The exploit uploads a malicious SVG file containing JavaScript payloads to vulnerable targets and verifies successful exploitation.

Description

A weakness has been identified in givanz Vvvebjs up to 2.0.5. The affected element is an unknown function of the file upload.php of the component File Upload Endpoint. This manipulation of the argument uploadAllowExtensions causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. Patch name: 8cac22cff99b8bc701c408aa8e887fa702755336. Applying a patch is the recommended action to fix this issue. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

Exploits (1)

nomisec WORKING POC

by sahmsec · poc

https://github.com/sahmsec/CVE-2026-5615

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2026-5615, a Stored Cross-Site Scripting (RXSS) vulnerability in VvvebJs <= v2.0.5. The exploit uploads a malicious SVG file containing JavaScript payloads to vulnerable targets and verifies successful exploitation.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: VvvebJs <= v2.0.5

No auth needed

Prerequisites: Target running VvvebJs <= v2.0.5 with accessible upload.php endpoint

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed May 08, 2026 Full analysis →

Nuclei Templates (1)

VvvebJs <= 2.0.5 - Cross-Site Scripting

MEDIUMVERIFIEDby theamanrawat

Shodan: http.html:"VvvebJs"

References (6)

Core 6

Core References

Vdb Entry, Technical Description vdb-entry technical-description

VDB-355406 | givanz Vvvebjs File Upload Endpoint upload.php cross site scripting

https://vuldb.com/vuln/355406

Signature, Permissions Required signature permissions-required

VDB-355406 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/vuln/355406/cti

Third Party Advisory third-party-advisory

Submit #785563 | givanz VvvebJs 2.0.5 Stored XSS

https://vuldb.com/submit/785563

Exploit exploit

https://tcn60zf28jhk.feishu.cn/wiki/Cr4KwMPiMi65fFkI9Vyc3oX2n0f?from=from_copylink

Patch patch

https://github.com/givanz/VvvebJs/commit/8cac22cff99b8bc701c408aa8e887fa702755336

View Patch ZIP pw:eip

Product product

https://github.com/givanz/VvvebJs/

Scores

CVSS v3 4.3

EPSS 0.0168

EPSS Percentile 82.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79 CWE-94

Status published

Products (6)

givanz/Vvvebjs 2.0.0

givanz/Vvvebjs 2.0.1

givanz/Vvvebjs 2.0.2

givanz/Vvvebjs 2.0.3

givanz/Vvvebjs 2.0.4

givanz/Vvvebjs 2.0.5

Published Apr 06, 2026

Tracked Since Apr 06, 2026