Authenticated SQL Injection in Vvveb CMS by Givanz
CVE-2026-45800

8.7HIGH

Key Information:

Vendor: Givanz
Status: Vvveb
Vendor: CVE Published:; 15 May 2026

What is CVE-2026-45800?

Vvveb CMS, a versatile content management system, exhibits a security flaw that enables authenticated SQL injection through its user order history page. This issue arises when user-controlled parameters, specifically 'order_by' and 'direction', are directly concatenated into SQL queries without proper validation. Attackers with frontend access can exploit this vulnerability to manipulate SQL queries, allowing them to potentially view or modify sensitive data. The vulnerability was subsequently addressed in version 1.0.8.3, reinforcing the importance of secure query construction practices.

Affected Version(s)

Vvveb < 1.0.8.3

References

https://github.com/givanz/Vvveb/security/advisories/GHSA-...

x_refsource_CONFIRM

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 15, 2026
Vulnerability Reserved
May 13, 2026

CVE-2026-45800 Data

JSON