cbcvebase.

Givanz Vvveb vulnerabilities

37 known vulnerabilities affecting givanz/vvveb.

Total CVEs
37
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH16MEDIUM17LOW1

Vulnerabilities

Page 1 of 2
CVE-2025-8518P3HIGHCVSS 7.2PoCv1.0.52025-08-04
CVE-2025-8518 [HIGH] CWE-74 CVE-2025-8518: A vulnerability was found in givanz Vvveb 1.0.5. It has been rated as critical. Affected by this iss A vulnerability was found in givanz Vvveb 1.0.5. It has been rated as critical. Affected by this issue is the function Save of the file admin/controller/editor/code.php of the component Code Editor. The manipulation leads to code injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to ver
nvd
CVE-2026-41930P2CRITICALCVSS 9.8fixed in 1.0.8.22026-05-06
CVE-2026-41930 [CRITICAL] CWE-306 CVE-2026-41930: Vvveb before version 1.0.8.2 contains a hard-coded credentials vulnerability in its docker-compose-a Vvveb before version 1.0.8.2 contains a hard-coded credentials vulnerability in its docker-compose-apache.yaml configuration that allows unauthenticated attackers to access the bundled phpMyAdmin container with pre-configured database credentials. Attackers can connect to the phpMyAdmin port to gain unrestricted read and write access to the entire
nvd
CVE-2026-39918P2CRITICALCVSS 9.8fixed in 1.0.8.12026-04-20
CVE-2026-39918 [CRITICAL] CWE-94 CVE-2026-39918: Vvveb prior to 1.0.8.1 contains a code injection vulnerability in the installation endpoint where th Vvveb prior to 1.0.8.1 contains a code injection vulnerability in the installation endpoint where the subdir POST parameter is written unsanitized into the env.php configuration file without escaping or validation. Attackers can inject arbitrary PHP code by breaking out of the string context in the define statement to achieve unauthenticated remote
nvd
CVE-2026-41938P2HIGHCVSS 8.8fixed in 1.0.8.22026-05-06
CVE-2026-41938 [HIGH] CWE-434 CVE-2026-41938: Vvveb before version 1.0.8.2 contains an unrestricted file upload vulnerability in the media upload Vvveb before version 1.0.8.2 contains an unrestricted file upload vulnerability in the media upload handler that allows authenticated users with media-upload permissions to bypass extension restrictions by uploading a .htaccess file to map .phtml extensions to the PHP handler. Attackers can upload a .phtml file containing arbitrary PHP code and execute
nvd
CVE-2026-41934P2HIGHCVSS 8.8fixed in 1.0.8.22026-05-06
CVE-2026-41934 [HIGH] CWE-184 CVE-2026-41934: Vvveb before version 1.0.8.2 contains an authenticated remote code execution vulnerability in the ad Vvveb before version 1.0.8.2 contains an authenticated remote code execution vulnerability in the admin code editor that allows low-privilege authenticated users to execute arbitrary code through insufficient file extension restrictions, with the uploaded payload then executable via subsequent unauthenticated HTTP requests. Attackers with editor, auth
nvd
CVE-2026-34427P2HIGHCVSS 8.8fixed in 1.0.8.12026-04-20
CVE-2026-34427 [HIGH] CWE-915 CVE-2026-34427: Vvveb prior to 1.0.8.1 contains a privilege escalation vulnerability in the admin user profile save Vvveb prior to 1.0.8.1 contains a privilege escalation vulnerability in the admin user profile save endpoint that allows authenticated users to modify privileged fields on their own profile. Attackers can inject role_id=1 into profile save requests to escalate to Super Administrator privileges, enabling plugin upload functionality for remote code execu
nvd
CVE-2025-9397P3CRITICALCVSS 9.8v1.0.7.0v1.0.7.1+1 more2025-08-24
CVE-2025-9397 [CRITICAL] CWE-284 CVE-2025-9397: A weakness has been identified in givanz Vvveb up to 1.0.7.2. Affected is an unknown function of the A weakness has been identified in givanz Vvveb up to 1.0.7.2. Affected is an unknown function of the file /system/traits/media.php. Executing manipulation of the argument files[] can lead to unrestricted upload. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. Applying a patch is advised
nvd
CVE-2026-41936P3HIGHCVSS 8.1fixed in 1.0.8.22026-05-06
CVE-2026-41936 [HIGH] CWE-611 CVE-2026-41936: Vvveb before version 1.0.8.2 contains an XML external entity (XXE) injection vulnerability in the ad Vvveb before version 1.0.8.2 contains an XML external entity (XXE) injection vulnerability in the admin Tools/Import feature that allows authenticated site_admin users to read arbitrary files and modify database records. Attackers can exploit the XML parser configuration in system/import/xml.php to inject file:// or php://filter entity references that
nvd
CVE-2026-45800P3HIGHCVSS 8.7fixed in 1.0.8.32026-05-15
CVE-2026-45800 [HIGH] CWE-89 CVE-2026-45800: Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stor Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, there is an authenticated SQL injection issue in the frontend user order history page in Vvveb CMS. A normal frontend user can log in and access /user/orders. The order_by and direction request parameters are accepted from the URL,
nvd
CVE-2025-11029P3HIGHCVSS 8.8v1.0.7.0v1.0.7.1+1 more2025-09-26
CVE-2025-11029 [HIGH] CWE-352 CVE-2025-11029: A weakness has been identified in givanz Vvveb up to 1.0.7.2. This vulnerability affects unknown cod A weakness has been identified in givanz Vvveb up to 1.0.7.2. This vulnerability affects unknown code. Executing manipulation can lead to cross-site request forgery. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. Once again the project maintainer reacted very professional: "I accept the e
nvd
CVE-2026-46407P3HIGHCVSS 8.1fixed in 1.0.8.32026-05-15
CVE-2026-46407 [HIGH] CWE-639 CVE-2026-46407: Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stor Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the backend admin/auth-token endpoint allows an authenticated administrator to load another administrator's REST API token list by supplying that user's admin_id. This can disclose sensitive API tokens belonging to other administra
nvd
CVE-2026-34428P3HIGHCVSS 7.7fixed in 1.0.8.12026-04-20
CVE-2026-34428 [HIGH] CWE-918 CVE-2026-34428: Vvveb prior to 1.0.8.1 contains a server-side request forgery vulnerability in the oEmbedProxy actio Vvveb prior to 1.0.8.1 contains a server-side request forgery vulnerability in the oEmbedProxy action of the editor/editor module where the url parameter is passed directly to getUrl() via curl without scheme or destination validation. Authenticated backend users can supply file:// URLs to read arbitrary files readable by the web server process or htt
nvd
CVE-2026-41937P3HIGHCVSS 7.2fixed in 1.0.8.32026-05-14
CVE-2026-41937 [HIGH] CWE-61 CVE-2026-41937: Vvveb before 1.0.8.3 contains an unrestricted file upload vulnerability in the plugin upload endpoin Vvveb before 1.0.8.3 contains an unrestricted file upload vulnerability in the plugin upload endpoint that allows super_admin users to execute arbitrary PHP code by uploading a malicious plugin ZIP file. Attackers can craft a ZIP containing a plugin.php with a valid Slug header and a public/index.php file with arbitrary PHP code, which executes as the
nvd
CVE-2025-11028P3HIGHCVSS 7.5v1.0.7.0v1.0.7.1+1 more2025-09-26
CVE-2025-11028 [HIGH] CWE-200 CVE-2025-11028: A security flaw has been discovered in givanz Vvveb up to 1.0.7.2. This affects an unknown part of t A security flaw has been discovered in givanz Vvveb up to 1.0.7.2. This affects an unknown part of the component Image Handler. Performing manipulation results in information disclosure. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. Once again the project maintainer reacted very profes
nvd
CVE-2025-11026P3HIGHCVSS 7.5v1.0.7.0v1.0.7.1+1 more2025-09-26
CVE-2025-11026 [HIGH] CWE-200 CVE-2025-11026: A vulnerability was determined in givanz Vvveb up to 1.0.7.2. Affected by this vulnerability is an u A vulnerability was determined in givanz Vvveb up to 1.0.7.2. Affected by this vulnerability is an unknown functionality of the component Configuration File Handler. This manipulation causes information disclosure. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. Once again the project maintainer react
nvd
CVE-2025-11944P3HIGHCVSS 7.2v1.0.7.0v1.0.7.1+2 more2025-10-19
CVE-2025-11944 [HIGH] CWE-74 CVE-2025-11944: A vulnerability was determined in givanz Vvveb up to 1.0.7.3. This affects the function Import of th A vulnerability was determined in givanz Vvveb up to 1.0.7.3. This affects the function Import of the file admin/controller/tools/import.php of the component Raw SQL Handler. This manipulation causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. Patch name: 52204b4a106b2fb02d16eee06a88
nvd
CVE-2026-46408P3HIGHCVSS 7.6fixed in 1.0.8.32026-05-15
CVE-2026-46408 [HIGH] CWE-639 CVE-2026-46408: Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stor Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the checkout endpoint accepts a user-controlled cart_id and uses it to enter the payment flow without verifying cart ownership. A logged-in attacker can therefore reuse another user's cart data in their own checkout session. This v
nvd
CVE-2026-44826P3HIGHCVSS 7.5fixed in 1.0.8.22026-05-15
CVE-2026-44826 [HIGH] CWE-1284 CVE-2026-44826: Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stor Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.2, Vvveb CMS does not validate the sign of the quantity parameter on the cart-add endpoint. Submitting a negative integer is accepted by the server and treated as a normal positive line-item, but with the sign carried through into ev
nvd
CVE-2025-8517P3MEDIUMCVSS 6.3v1.0.6.12025-08-04
CVE-2025-8517 [MEDIUM] CWE-384 CVE-2025-8517: A vulnerability was detected in givanz Vvveb 1.0.6.1. Impacted is an unknown function. The manipulat A vulnerability was detected in givanz Vvveb 1.0.6.1. Impacted is an unknown function. The manipulation results in session fixiation. The attack can be launched remotely. The exploit is now public and may be used. Upgrading to version 1.0.7 is recommended to address this issue. The patch is identified as d4b1e030066417b77d15b4ac505eed5ae7bf2c5e. You s
nvd
CVE-2026-41935P3HIGHCVSS 7.1fixed in 1.0.8.32026-05-14
CVE-2026-41935 [HIGH] CWE-209 CVE-2026-41935: Vvveb before 1.0.8.3 contains an uncontrolled recursion vulnerability in the admin controller dispat Vvveb before 1.0.8.3 contains an uncontrolled recursion vulnerability in the admin controller dispatch cycle where Base::init() repeatedly invokes permission() on error handlers, causing infinite recursion until PHP memory limits are exhausted. Attackers can send sustained requests to forbidden admin URLs from a low-privilege account to exhaust PHP me
nvd
Givanz Vvveb vulnerabilities | cvebase