CVE-2026-41929 is a reflected cross-site scripting vulnerability affecting Vvveb before version 1.0.8.2. The vulnerability exists in the visual editor preview renderer where the r query parameter and _component_ajax POST parameter are not properly sanitized. The gating function isEditor() fails to perform any session, role, or token verification, allowing unauthenticated attackers to inject arbitrary JavaScript. The view handler directly injects raw HTML from the POST body without sanitization, enabling execution of attacker-controlled scripts in the victim's browser within the Vvveb origin context. This vulnerability has a CVSS 4.0 base score of 5.1, reflecting a medium severity level. No patch or official remediation has been disclosed by the vendor, and no known exploits have been reported.

Successful exploitation allows unauthenticated attackers to execute arbitrary JavaScript in the context of the Vvveb web application. This can lead to typical XSS impacts such as session hijacking, defacement, or redirection to malicious sites. However, the vulnerability requires user interaction (UI:A) and has limited scope and impact as indicated by the CVSS vector. There are no known active exploits in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider restricting access to the vulnerable component or implementing web application firewall (WAF) rules to detect and block malicious input targeting the r query parameter and _component_ajax POST parameter. Avoid clicking suspicious links or submitting untrusted forms related to the Vvveb visual editor preview. Monitor vendor channels for updates regarding an official patch.