cbcvebase.

Givanz Vvveb vulnerabilities

37 known vulnerabilities affecting givanz/vvveb.

Total CVEs
37
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH16MEDIUM17LOW1

Vulnerabilities

Page 2 of 2
CVE-2026-41928P4MEDIUMCVSS 5.3fixed in 1.0.8.22026-05-07
CVE-2026-41928 [MEDIUM] CWE-497 CVE-2026-41928: Vvveb before 1.0.8.2 contains an information disclosure vulnerability in the cron controller that al Vvveb before 1.0.8.2 contains an information disclosure vulnerability in the cron controller that allows unauthenticated attackers to retrieve the application's secret cron key. Attackers can access the cron controller without authentication and retrieve the exposed secret key from the response, enabling them to trigger scheduled task execution outs
nvd
CVE-2025-12203P4MEDIUMCVSS 4.9v1.0.7.0v1.0.7.1+2 more2025-10-27
CVE-2025-12203 [MEDIUM] CWE-22 CVE-2025-12203: A weakness has been identified in givanz Vvveb up to 1.0.7.3. This issue affects the function saniti A weakness has been identified in givanz Vvveb up to 1.0.7.3. This issue affects the function sanitizeFileName of the file system/functions.php of the component Code Editor. Executing a manipulation of the argument File can lead to path traversal. The attack can be launched remotely. The exploit has been made available to the public and could be used
nvd
CVE-2025-11027P4MEDIUMCVSS 5.4v1.0.7.0v1.0.7.1+1 more2025-09-26
CVE-2025-11027 [MEDIUM] CWE-79 CVE-2025-11027: A vulnerability was identified in givanz Vvveb up to 1.0.7.2. Affected by this issue is some unknown A vulnerability was identified in givanz Vvveb up to 1.0.7.2. Affected by this issue is some unknown functionality of the component SVG File Handler. Such manipulation leads to cross site scripting. The attack may be launched remotely. The exploit is publicly available and might be used. Once again the project maintainer reacted very professional: "I
nvd
CVE-2026-41933P4MEDIUMCVSS 5.3fixed in 1.0.8.32026-05-14
CVE-2026-41933 [MEDIUM] CWE-548 CVE-2026-41933: Vvveb before 1.0.8.3 contains a directory listing information disclosure vulnerability that allows u Vvveb before 1.0.8.3 contains a directory listing information disclosure vulnerability that allows unauthenticated attackers to enumerate files and directories by accessing multiple paths lacking proper index directives in .htaccess files. Attackers can access directories such as admin asset paths, plugins, themes, and media folders to view filename
nvd
CVE-2026-34429P4MEDIUMCVSS 5.4fixed in 1.0.8.12026-04-20
CVE-2026-34429 [MEDIUM] CWE-79 CVE-2026-34429: Vvveb prior to 1.0.8.1 contains a stored cross-site scripting vulnerability that allows authenticate Vvveb prior to 1.0.8.1 contains a stored cross-site scripting vulnerability that allows authenticated users with media upload and rename permissions to execute arbitrary JavaScript by bypassing MIME type validation and renaming uploaded files to executable extensions. Attackers can prepend a GIF89a header to HTML/JavaScript payloads to bypass upload
nvd
CVE-2025-8521P4MEDIUMCVSS 5.4v1.0.0v1.0.1+4 more2025-08-04
CVE-2025-8521 [MEDIUM] CWE-79 CVE-2025-8521: A vulnerability, which was classified as problematic, has been found in givanz Vvveb up to 1.0.5. Th A vulnerability, which was classified as problematic, has been found in givanz Vvveb up to 1.0.5. This issue affects some unknown processing of the file /vadmin123/index.php?module=settings/post-types of the component Add Type Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed t
nvd
CVE-2025-8975P4MEDIUMCVSS 5.4v1.0.0v1.0.1+4 more2025-08-14
CVE-2025-8975 [MEDIUM] CWE-79 CVE-2025-8975: A vulnerability was identified in givanz Vvveb up to 1.0.5. This affects an unknown part of the file A vulnerability was identified in givanz Vvveb up to 1.0.5. This affects an unknown part of the file admin/template/content/edit.tpl. The manipulation of the argument slug leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.0.6 is able to add
nvd
CVE-2025-8976P4MEDIUMCVSS 5.4v1.0.0v1.0.1+4 more2025-08-14
CVE-2025-8976 [MEDIUM] CWE-79 CVE-2025-8976: A vulnerability has been found in givanz Vvveb up to 1.0.5. This vulnerability affects unknown code A vulnerability has been found in givanz Vvveb up to 1.0.5. This vulnerability affects unknown code of the file /vadmin123/index.php?module=content/post&type=post of the component Endpoint. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to vers
nvd
CVE-2026-41931P4MEDIUMCVSS 5.3fixed in 1.0.8.22026-05-06
CVE-2026-41931 [MEDIUM] CWE-209 CVE-2026-41931: Vvveb before version 1.0.8.2 contains an information disclosure vulnerability that allows unauthenti Vvveb before version 1.0.8.2 contains an information disclosure vulnerability that allows unauthenticated attackers to obtain sensitive server information by triggering unhandled exceptions in the password-reset module. Attackers can access the admin password-reset endpoint to trigger a fatal error caused by a missing namespace import, which exposes
nvd
CVE-2025-8520P4MEDIUMCVSS 4.7v1.0.0v1.0.1+4 more2025-08-04
CVE-2025-8520 [MEDIUM] CWE-918 CVE-2025-8520: A vulnerability classified as critical was found in givanz Vvveb up to 1.0.5. This vulnerability aff A vulnerability classified as critical was found in givanz Vvveb up to 1.0.5. This vulnerability affects unknown code of the file /vadmin123/?module=editor/editor of the component Drag-and-Drop Editor. The manipulation of the argument url leads to server-side request forgery. The attack can be initiated remotely. The exploit has been disclosed to the
nvd
CVE-2025-9728P4MEDIUMCVSS 6.1v1.0.7.22025-08-31
CVE-2025-9728 [MEDIUM] CWE-79 CVE-2025-9728: A security vulnerability has been detected in givanz Vvveb 1.0.7.2. This affects an unknown part of A security vulnerability has been detected in givanz Vvveb 1.0.7.2. This affects an unknown part of the file app/template/user/login.tpl. Such manipulation of the argument Email/Password leads to cross site scripting. The attack can be executed remotely. The name of the patch is bbd4c42c66ab818142240348173a669d1d2537fe. Applying a patch is advised to re
nvd
CVE-2026-44366P4MEDIUMCVSS 6.1fixed in 1.0.8.12026-05-15
CVE-2026-44366 [MEDIUM] CWE-79 CVE-2026-44366: Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stor Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.1, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Vvveb CMS comment submission flow. The author field is submitted by an unauthenticated user on any public post page, stored without sanitization, and later rendered u
nvd
CVE-2026-41932P4MEDIUMCVSS 6.1fixed in 1.0.8.32026-05-14
CVE-2026-41932 [MEDIUM] CWE-79 CVE-2026-41932: Vvveb before 1.0.8.3 contains a stored cross-site scripting vulnerability in the customer signup flo Vvveb before 1.0.8.3 contains a stored cross-site scripting vulnerability in the customer signup flow where the Signup::addUser() controller copies raw POST username values into the display_name field before sanitization occurs. Attackers can submit HTML and script markup in the username field during signup, which gets stripped from the username colu
nvd
CVE-2026-41929P4MEDIUMCVSS 6.1fixed in 1.0.8.22026-05-07
CVE-2026-41929 [MEDIUM] CWE-79 CVE-2026-41929: Vvveb before 1.0.8.2 contains an unauthenticated reflected cross-site scripting vulnerability in the Vvveb before 1.0.8.2 contains an unauthenticated reflected cross-site scripting vulnerability in the visual editor preview renderer that allows attackers to execute arbitrary JavaScript by manipulating the r query parameter and _component_ajax POST parameter. Attackers can craft a malicious link or auto-submitted form that causes victims to execute a
nvd
CVE-2026-45622P4MEDIUMCVSS 5.3fixed in 1.0.8.32026-05-15
CVE-2026-45622 [MEDIUM] CWE-79 CVE-2026-45622: Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stor Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, there is an unauthenticated reflected cross-site scripting (XSS) issue in the public product return form in Vvveb CMS. The customer_order_id POST parameter is inserted into the Order %s not found! error message when the order look
nvd
CVE-2026-45616P4MEDIUMCVSS 5.1fixed in 1.0.8.32026-05-15
CVE-2026-45616 [MEDIUM] CWE-79 CVE-2026-45616: Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stor Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, This vulnerability is fixed in 1.0.8.3.
nvd
CVE-2025-8519P4LOWCVSS 2.7v1.0.0v1.0.1+4 more2025-08-04
CVE-2025-8519 [LOW] CWE-200 CVE-2025-8519: A vulnerability classified as problematic has been found in givanz Vvveb up to 1.0.5. This affects a A vulnerability classified as problematic has been found in givanz Vvveb up to 1.0.5. This affects an unknown part of the file /vadmin123/index.php?module=editor/editor of the component Drag-and-Drop Editor. The manipulation of the argument url leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed
nvd
Givanz Vvveb vulnerabilities | cvebase