CVE-2026-44826: CWE-1284: Improper Validation of Specified Quantity in Input in givanz Vvveb
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.2, Vvveb CMS does not validate the sign of the quantity parameter on the cart-add endpoint. Submitting a negative integer is accepted by the server and treated as a normal positive line-item, but with the sign carried through into every downstream computation: line total, sub-total, taxes, and grand total all become negative numbers. The customer-facing cart UI then displays a negative grand total to the user, the checkout flow accepts the negative cart, and the resulting order is persisted in the merchant's database with a negative total column. From the merchant's order management dashboard, this surfaces as a real order with a negative total — an "the merchant owes the customer money" record that no legitimate workflow ever creates. This vulnerability is fixed in 1.0.8.2.
AI Analysis
Technical Summary
The vulnerability in Vvveb CMS (before version 1.0.8.2) stems from improper validation of the quantity parameter on the cart-add endpoint. Negative integers submitted as quantity are accepted and treated as negative values in all subsequent calculations including line total, subtotal, taxes, and grand total. This leads to negative order totals being displayed to customers and accepted by the checkout process. The resulting orders with negative totals are persisted in the merchant's order database, creating inconsistent and potentially exploitable financial records. The vulnerability is classified under CWE-1284 (Improper Validation of Specified Quantity in Input) and has a CVSS 3.1 score of 7.5 (high severity).
Potential Impact
The impact is primarily on the integrity of order data and financial records within the affected Vvveb CMS installations. Merchants may see orders with negative totals, which can disrupt accounting and order management processes. Although no direct confidentiality or availability impact is indicated, the integrity impact is high due to the potential for financial discrepancies. There is no evidence of known exploits in the wild at this time.
Mitigation Recommendations
This vulnerability is fixed in Vvveb CMS version 1.0.8.2. Users should upgrade to version 1.0.8.2 or later to remediate this issue. No official patch link is provided in the data, but upgrading to the fixed version is the recommended action. Since this is not a cloud service, remediation depends on the user applying the update. Patch status is not explicitly confirmed beyond the version fix note; users should verify with the vendor for the latest advisory and update instructions.
CVE-2026-44826: CWE-1284: Improper Validation of Specified Quantity in Input in givanz Vvveb
Description
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.2, Vvveb CMS does not validate the sign of the quantity parameter on the cart-add endpoint. Submitting a negative integer is accepted by the server and treated as a normal positive line-item, but with the sign carried through into every downstream computation: line total, sub-total, taxes, and grand total all become negative numbers. The customer-facing cart UI then displays a negative grand total to the user, the checkout flow accepts the negative cart, and the resulting order is persisted in the merchant's database with a negative total column. From the merchant's order management dashboard, this surfaces as a real order with a negative total — an "the merchant owes the customer money" record that no legitimate workflow ever creates. This vulnerability is fixed in 1.0.8.2.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Vvveb CMS (before version 1.0.8.2) stems from improper validation of the quantity parameter on the cart-add endpoint. Negative integers submitted as quantity are accepted and treated as negative values in all subsequent calculations including line total, subtotal, taxes, and grand total. This leads to negative order totals being displayed to customers and accepted by the checkout process. The resulting orders with negative totals are persisted in the merchant's order database, creating inconsistent and potentially exploitable financial records. The vulnerability is classified under CWE-1284 (Improper Validation of Specified Quantity in Input) and has a CVSS 3.1 score of 7.5 (high severity).
Potential Impact
The impact is primarily on the integrity of order data and financial records within the affected Vvveb CMS installations. Merchants may see orders with negative totals, which can disrupt accounting and order management processes. Although no direct confidentiality or availability impact is indicated, the integrity impact is high due to the potential for financial discrepancies. There is no evidence of known exploits in the wild at this time.
Mitigation Recommendations
This vulnerability is fixed in Vvveb CMS version 1.0.8.2. Users should upgrade to version 1.0.8.2 or later to remediate this issue. No official patch link is provided in the data, but upgrading to the fixed version is the recommended action. Since this is not a cloud service, remediation depends on the user applying the update. Patch status is not explicitly confirmed beyond the version fix note; users should verify with the vendor for the latest advisory and update instructions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-07T21:21:48.351Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a076ec1ec166c07b0830a01
Added to database: 5/15/2026, 7:06:41 PM
Last enriched: 5/15/2026, 7:23:33 PM
Last updated: 5/16/2026, 6:27:43 AM
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.