CVE-2026-34429
published 2026-04-20CVE-2026-34429: Vvveb prior to 1.0.8.1 contains a stored cross-site scripting vulnerability that allows authenticated users with media upload and rename permissions to execute…
PriorityP430medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.28%
19.8th percentile
Vvveb prior to 1.0.8.1 contains a stored cross-site scripting vulnerability that allows authenticated users with media upload and rename permissions to execute arbitrary JavaScript by bypassing MIME type validation and renaming uploaded files to executable extensions. Attackers can prepend a GIF89a header to HTML/JavaScript payloads to bypass upload validation, rename the file to .html extension, and execute malicious scripts in an administrator's browser session to create backdoor accounts and upload malicious plugins for remote code execution.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| givanz | vvveb | < 1.0.8.1 | 1.0.8.1 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv4.05.1MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
givanz Vvveb up to 1.0.8.0 Media Upload cross site scripting
vuldb·2026-04-20·CVSS 5.1
CVE-2026-34429 [MEDIUM] givanz Vvveb up to 1.0.8.0 Media Upload cross site scripting
A vulnerability was found in givanz Vvveb up to 1.0.8.0. It has been rated as problematic. The affected element is an unknown function of the component Media Upload Handler. This manipulation causes cross site scripting.
The identification of this vulnerability is CVE-2026-34429. It is possible to initiate the attack remotely. There is no exploit available.
Upgrading the affected component is advised.
GHSA
GHSA-49mg-4v6p-32w2: Vvveb prior to 1
ghsa_unreviewed·2026-04-20
CVE-2026-34429 [MEDIUM] CWE-79 GHSA-49mg-4v6p-32w2: Vvveb prior to 1
Vvveb prior to 1.0.8.1 contains a stored cross-site scripting vulnerability that allows authenticated users with media upload and rename permissions to execute arbitrary JavaScript by bypassing MIME type validation and renaming uploaded files to executable extensions. Attackers can prepend a GIF89a header to HTML/JavaScript payloads to bypass upload validation, rename the file to .html extension, and execute malicious scripts in an administrator's browser session to create backdoor accounts and upload malicious plugins for remote code execution.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://delta.cyberm.ca/bugbin/ur66bvB7BYTC9y0eCIk3uzhZQgbjzAkG/https://github.com/givanz/Vvveb/commit/cc997d3359ea5e49a45c132f5dee3bc80fb441d7https://github.com/givanz/Vvveb/releases/tag/1.0.8.1https://github.com/givanz/Vvveb/security/advisories/GHSA-2vc4-49hq-g7f4https://www.vulncheck.com/advisories/vvveb-stored-xss-via-media-upload-and-rename
2026-04-20
Published