Unauthenticated Reflected XSS Vulnerability in Vvveb by Givanz
CVE-2026-41929

5.1MEDIUM

Key Information:

Vendor

Givanz

Status
Vvveb
Vendor
CVE Published:
7 May 2026

What is CVE-2026-41929?

The Vvveb platform prior to version 1.0.8.2 is susceptible to an unauthenticated reflected cross-site scripting (XSS) vulnerability. This flaw is present in the visual editor's preview renderer, which does not properly validate inputs. By manipulating the 'r' query parameter and the '_component_ajax' POST parameter, an attacker can create a malicious URL or auto-submitted form. When a victim interacts with this link, attacker-controlled JavaScript can be executed within the Vvveb context, leading to potential exploitation. The absence of session, role, or token validation in the isEditor() function significantly increases the risk of successful attacks, as the system also fails to sanitize the raw HTML content submitted via POST requests.

Affected Version(s)

Vvveb 0

References

https://github.com/givanz/Vvveb/releases/tag/1.0.8.2
release-notes
https://github.com/givanz/Vvveb/security/advisories/GHSA-...
vendor-advisory
https://github.com/givanz/Vvveb/commit/54a9e846fb94192f1b...
patch

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Basant Kumar (@CyberWarrior9)
Hamed Kohi (@0xHamy)
VulnCheck
.