Stored Cross-Site Scripting in Vvveb by Givanz
CVE-2026-41932

5.3MEDIUM

Key Information:

Vendor

Givanz

Status
Vvveb
Vendor
CVE Published:
14 May 2026

What is CVE-2026-41932?

Vvveb versions before 1.0.8.3 are susceptible to a stored cross-site scripting vulnerability during user signup. The vulnerability arises when the Signup::addUser() controller handles raw POST username values improperly, copying them into the display_name field without adequate sanitization. Although the username is stripped from the database, the unfiltered display_name retains the raw HTML and script content. This flaw can lead to the execution of malicious scripts when the display_name is rendered in certain views that do not apply necessary encoding.

Affected Version(s)

Vvveb 0

Vvveb 0 < 1.0.8.3

Vvveb fefac290a8c85d3c87fe80ffed68b6c5bc50e93c

References

https://github.com/givanz/Vvveb/releases/tag/1.0.8.3
release-notes
https://github.com/givanz/Vvveb/commit/fefac290a8c85d3c87...
patch
https://www.vulncheck.com/advisories/vvveb-stored-xss-via...
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Basant Kumar (@CyberWarrior9)
VulnCheck
.