CVE-2026-44366: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in givanz Vvveb
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.1, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Vvveb CMS comment submission flow. The author field is submitted by an unauthenticated user on any public post page, stored without sanitization, and later rendered unsanitized in two distinct sinks: This vulnerability is fixed in 1.0.8.1.
AI Analysis
Technical Summary
The givanz Vvveb CMS before version 1.0.8.1 contains a stored cross-site scripting vulnerability (CWE-79) in its comment submission feature. Specifically, the author field can be submitted by unauthenticated users and is stored without sanitization. This unsanitized input is later rendered in two distinct sinks on public post pages, enabling stored XSS attacks. The vulnerability has been assigned CVE-2026-44366 and has a CVSS 3.1 base score of 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N), reflecting network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and low impact on confidentiality and integrity with no impact on availability. The vulnerability is fixed in version 1.0.8.1 of Vvveb.
Potential Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the browsers of users viewing affected pages, potentially leading to information disclosure or manipulation of user interactions within the context of the vulnerable website. The impact is limited to confidentiality and integrity with no availability impact. No known active exploitation has been reported.
Mitigation Recommendations
Upgrade the givanz Vvveb CMS to version 1.0.8.1 or later, where this stored XSS vulnerability has been fixed. Since the vendor advisory indicates the issue is resolved in this version, applying this official fix is the recommended remediation. No additional mitigation steps are specified or required.
CVE-2026-44366: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in givanz Vvveb
Description
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.1, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Vvveb CMS comment submission flow. The author field is submitted by an unauthenticated user on any public post page, stored without sanitization, and later rendered unsanitized in two distinct sinks: This vulnerability is fixed in 1.0.8.1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The givanz Vvveb CMS before version 1.0.8.1 contains a stored cross-site scripting vulnerability (CWE-79) in its comment submission feature. Specifically, the author field can be submitted by unauthenticated users and is stored without sanitization. This unsanitized input is later rendered in two distinct sinks on public post pages, enabling stored XSS attacks. The vulnerability has been assigned CVE-2026-44366 and has a CVSS 3.1 base score of 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N), reflecting network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and low impact on confidentiality and integrity with no impact on availability. The vulnerability is fixed in version 1.0.8.1 of Vvveb.
Potential Impact
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the browsers of users viewing affected pages, potentially leading to information disclosure or manipulation of user interactions within the context of the vulnerable website. The impact is limited to confidentiality and integrity with no availability impact. No known active exploitation has been reported.
Mitigation Recommendations
Upgrade the givanz Vvveb CMS to version 1.0.8.1 or later, where this stored XSS vulnerability has been fixed. Since the vendor advisory indicates the issue is resolved in this version, applying this official fix is the recommended remediation. No additional mitigation steps are specified or required.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-05T20:15:20.631Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a076ec1ec166c07b08309f8
Added to database: 5/15/2026, 7:06:41 PM
Last enriched: 5/15/2026, 7:23:53 PM
Last updated: 5/16/2026, 6:26:27 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.