CVE-2026-46408: CWE-639: Authorization Bypass Through User-Controlled Key in givanz Vvveb
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the checkout endpoint accepts a user-controlled cart_id and uses it to enter the payment flow without verifying cart ownership. A logged-in attacker can therefore reuse another user's cart data in their own checkout session. This vulnerability is fixed in 1.0.8.3.
AI Analysis
Technical Summary
The vulnerability in givanz Vvveb CMS (before version 1.0.8.3) involves the checkout endpoint accepting a cart_id parameter controlled by the user. The system does not verify that the cart_id belongs to the logged-in user, enabling an attacker with valid login credentials to use another user's cart data in their own checkout session. This is classified as CWE-639: Authorization Bypass Through User-Controlled Key. The vulnerability is addressed in version 1.0.8.3.
Potential Impact
An attacker with a valid login can bypass authorization checks on the checkout endpoint by specifying another user's cart_id, potentially leading to unauthorized use of another user's cart data. This can impact data integrity and user trust, with a high impact on confidentiality and integrity and a low impact on availability.
Mitigation Recommendations
Upgrade to givanz Vvveb version 1.0.8.3 or later, where this vulnerability is fixed. Since the vendor has released a fixed version, applying this official update is the recommended remediation. Patch status is not explicitly stated as 'patchAvailable' but the fix is confirmed in version 1.0.8.3.
CVE-2026-46408: CWE-639: Authorization Bypass Through User-Controlled Key in givanz Vvveb
Description
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the checkout endpoint accepts a user-controlled cart_id and uses it to enter the payment flow without verifying cart ownership. A logged-in attacker can therefore reuse another user's cart data in their own checkout session. This vulnerability is fixed in 1.0.8.3.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in givanz Vvveb CMS (before version 1.0.8.3) involves the checkout endpoint accepting a cart_id parameter controlled by the user. The system does not verify that the cart_id belongs to the logged-in user, enabling an attacker with valid login credentials to use another user's cart data in their own checkout session. This is classified as CWE-639: Authorization Bypass Through User-Controlled Key. The vulnerability is addressed in version 1.0.8.3.
Potential Impact
An attacker with a valid login can bypass authorization checks on the checkout endpoint by specifying another user's cart_id, potentially leading to unauthorized use of another user's cart data. This can impact data integrity and user trust, with a high impact on confidentiality and integrity and a low impact on availability.
Mitigation Recommendations
Upgrade to givanz Vvveb version 1.0.8.3 or later, where this vulnerability is fixed. Since the vendor has released a fixed version, applying this official update is the recommended remediation. Patch status is not explicitly stated as 'patchAvailable' but the fix is confirmed in version 1.0.8.3.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-13T21:04:10.932Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a076ec7ec166c07b0830aef
Added to database: 5/15/2026, 7:06:47 PM
Last enriched: 5/15/2026, 7:21:41 PM
Last updated: 5/15/2026, 8:26:52 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.