CVE-2026-34429: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in givanz Vvveb
Vvveb versions prior to 1. 0. 8. 1 contain a stored cross-site scripting (XSS) vulnerability that allows authenticated users with media upload and rename permissions to execute arbitrary JavaScript. This is achieved by bypassing MIME type validation through prepending a GIF89a header to HTML/JavaScript payloads, renaming the file with an executable extension such as . html, and triggering script execution in an administrator's browser. Exploitation can lead to creation of backdoor accounts and uploading malicious plugins enabling remote code execution. The vulnerability has a medium severity with a CVSS 4. 0 base score of 5. 1.
AI Analysis
Technical Summary
CVE-2026-34429 is a stored cross-site scripting vulnerability in the givanz Vvveb product prior to version 1.0.8.1. Authenticated users with permissions to upload and rename media files can bypass MIME type validation by prepending a GIF89a header to crafted HTML/JavaScript payloads, then renaming the uploaded file to an executable extension such as .html. This allows execution of arbitrary JavaScript in the context of an administrator's browser session. The malicious script can be used to create backdoor accounts and upload malicious plugins, potentially leading to remote code execution. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS 4.0 score is 5.1, indicating medium severity. There is no vendor advisory or patch available at this time, and the product is not a cloud service.
Potential Impact
Successful exploitation allows authenticated users with media upload and rename permissions to execute arbitrary JavaScript in administrator sessions. This can lead to privilege escalation through creation of backdoor accounts and uploading malicious plugins, which may enable remote code execution. The vulnerability compromises the integrity and security of the affected system by allowing persistent malicious code execution.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict media upload and rename permissions to trusted users only. Monitor for suspicious file uploads and consider implementing additional validation controls on uploaded content. Avoid using affected versions in sensitive environments where possible.
CVE-2026-34429: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in givanz Vvveb
Description
Vvveb versions prior to 1. 0. 8. 1 contain a stored cross-site scripting (XSS) vulnerability that allows authenticated users with media upload and rename permissions to execute arbitrary JavaScript. This is achieved by bypassing MIME type validation through prepending a GIF89a header to HTML/JavaScript payloads, renaming the file with an executable extension such as . html, and triggering script execution in an administrator's browser. Exploitation can lead to creation of backdoor accounts and uploading malicious plugins enabling remote code execution. The vulnerability has a medium severity with a CVSS 4. 0 base score of 5. 1.
CVSS v4.0
Score 5.1medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-34429 is a stored cross-site scripting vulnerability in the givanz Vvveb product prior to version 1.0.8.1. Authenticated users with permissions to upload and rename media files can bypass MIME type validation by prepending a GIF89a header to crafted HTML/JavaScript payloads, then renaming the uploaded file to an executable extension such as .html. This allows execution of arbitrary JavaScript in the context of an administrator's browser session. The malicious script can be used to create backdoor accounts and upload malicious plugins, potentially leading to remote code execution. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS 4.0 score is 5.1, indicating medium severity. There is no vendor advisory or patch available at this time, and the product is not a cloud service.
Potential Impact
Successful exploitation allows authenticated users with media upload and rename permissions to execute arbitrary JavaScript in administrator sessions. This can lead to privilege escalation through creation of backdoor accounts and uploading malicious plugins, which may enable remote code execution. The vulnerability compromises the integrity and security of the affected system by allowing persistent malicious code execution.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict media upload and rename permissions to trusted users only. Monitor for suspicious file uploads and consider implementing additional validation controls on uploaded content. Avoid using affected versions in sensitive environments where possible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-03-27T15:24:06.752Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e6390b19fe3cd2cd03286a
Added to database: 4/20/2026, 2:32:43 PM
Last enriched: 5/15/2026, 11:00:14 AM
Last updated: 6/4/2026, 7:02:36 PM
Views: 68
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.