CVE-2026-41932— Vvveb < 1.0.8.3 Stored XSS via Signup Controller
Possible ATT&CK Techniques 2AI
T1059 · Command and Scripting Interpreter T1189 · Drive-by CompromiseGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-41932
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Vvveb < 1.0.8.3 Stored XSS via Signup Controller
Source: NVD (National Vulnerability Database)
Vulnerability Description
Vvveb before 1.0.8.3 contains a stored cross-site scripting vulnerability in the customer signup flow where the Signup::addUser() controller copies raw POST username values into the display_name field before sanitization occurs. Attackers can submit HTML and script markup in the username field during signup, which gets stripped from the username column but persisted verbatim in the display_name column, allowing stored XSS execution when display_name is rendered without encoding in vulnerable views.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Vvveb 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Vvveb是Givan个人开发者的一个强大且易于使用的CMS,用于构建网站、博客或电子商务商店。 Vvveb 1.0.8.3之前版本存在跨站脚本漏洞,该漏洞源于客户注册流程中Signup::addUser()控制器在清理前将原始POST用户名值复制到display_name字段,可能导致攻击者在注册时提交HTML和脚本标记,在display_name列中持久化,导致存储型跨站脚本执行。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-41932
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-41932
请登录查看更多情报信息。
- https://github.com/givanz/Vvveb/releases/tag/1.0.8.3release-notes
- https://www.vulncheck.com/advisories/vvveb-stored-xss-via-signup-controllerthird-party-advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-41932
Same Patch Batch · givanz · 2026-05-14 · 4 CVEs total
| CVE-2026-41937 | 7.2 HIGH | Vvveb < 1.0.8.3 Unrestricted File Upload RCE via Plugin Upload |
| CVE-2026-41935 | 7.1 HIGH | Vvveb < 1.0.8.3 Uncontrolled Recursion Denial of Service |
| CVE-2026-41933 | 5.3 MEDIUM | Vvveb < 1.0.8.3 Directory Listing Information Disclosure |
IV. Related Vulnerabilities
Same product: Vvveb
- CVE-2026-46408
Vvveb: checkout IDOR allows unauthorized reuse of another us - CVE-2026-46407
Vvveb: admin/auth-token IDOR allows unauthorized disclosure - CVE-2026-45800
Vvveb: Authenticated SQL injection in /user/orders via order - CVE-2026-45622
Vvveb: Unauthenticated reflected XSS in public product retur - CVE-2026-45616
Vvveb: Stored XSS in Posts allows privilege escalation via p
Same vendor: givanz
- CVE-2026-46408
Vvveb: checkout IDOR allows unauthorized reuse of another us - CVE-2026-46407
Vvveb: admin/auth-token IDOR allows unauthorized disclosure - CVE-2026-45800
Vvveb: Authenticated SQL injection in /user/orders via order - CVE-2026-45622
Vvveb: Unauthenticated reflected XSS in public product retur - CVE-2026-45616
Vvveb: Stored XSS in Posts allows privilege escalation via p
Same weakness: CWE-79
- CVE-2026-33741
EspoCRM: Stored XSS via SVG attachment loading same-origin J - CVE-2025-40904
HTML injection in Smart Polling in Guardian/CMC before 26.1. - CVE-2025-40903
HTML injection in Schedule Restore Archive in Guardian/CMC b - CVE-2025-40902
HTML injection in Users in Guardian/CMC before 26.1.0 - CVE-2025-40901
HTML injection in Credentials Manager in Guardian/CMC before
V. Comments for CVE-2026-41932
No comments yet