CVE-2026-45622— Vvveb: Unauthenticated reflected XSS in public product return form via customer_order_id
Possible ATT&CK Techniques 1AI
T1059.007 · JavaScriptGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-45622
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Vvveb: Unauthenticated reflected XSS in public product return form via customer_order_id
Source: NVD (National Vulnerability Database)
Vulnerability Description
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, there is an unauthenticated reflected cross-site scripting (XSS) issue in the public product return form in Vvveb CMS. The customer_order_id POST parameter is inserted into the Order %s not found! error message when the order lookup fails, and that message is rendered in the frontend template without HTML escaping. As a result, attacker-controlled HTML/JavaScript executes in the submitting user's browser. This vulnerability is fixed in 1.0.8.3.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-45622
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-45622
请登录查看更多情报信息。
- https://github.com/givanz/Vvveb/security/advisories/GHSA-3xwm-8f6m-cfc6x_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2026-45622
Same Patch Batch · givanz · 2026-05-15 · 7 CVEs total
| CVE-2026-46407 | 8.1 HIGH | Vvveb: admin/auth-token IDOR allows unauthorized disclosure of administrator REST API toke |
| CVE-2026-46408 | 7.6 HIGH | Vvveb: checkout IDOR allows unauthorized reuse of another user's cart |
| CVE-2026-44826 | 7.5 HIGH | Vvveb: Vvveb CMS — Negative-quantity cart manipulation allows creation of orders with nega |
| CVE-2026-44366 | 6.1 MEDIUM | Vvveb: Stored XSS via Comment Author Field |
| CVE-2026-45616 | Vvveb: Stored XSS in Posts allows privilege escalation via post editor | |
| CVE-2026-45800 | Vvveb: Authenticated SQL injection in /user/orders via order_by and direction |
IV. Related Vulnerabilities
Same product: Vvveb
- CVE-2026-46408
Vvveb: checkout IDOR allows unauthorized reuse of another us - CVE-2026-46407
Vvveb: admin/auth-token IDOR allows unauthorized disclosure - CVE-2026-45800
Vvveb: Authenticated SQL injection in /user/orders via order - CVE-2026-45616
Vvveb: Stored XSS in Posts allows privilege escalation via p - CVE-2026-44826
Vvveb: Vvveb CMS — Negative-quantity cart manipulation allow
Same vendor: givanz
- CVE-2026-46408
Vvveb: checkout IDOR allows unauthorized reuse of another us - CVE-2026-46407
Vvveb: admin/auth-token IDOR allows unauthorized disclosure - CVE-2026-45800
Vvveb: Authenticated SQL injection in /user/orders via order - CVE-2026-45616
Vvveb: Stored XSS in Posts allows privilege escalation via p - CVE-2026-44826
Vvveb: Vvveb CMS — Negative-quantity cart manipulation allow
Same weakness: CWE-79
- CVE-2018-25331
Zenar Content Management System Cross-Site Scripting via aja - CVE-2021-47981
Quick.CMS 6.7 Cross-Site Scripting via CSRF to Sliders Form - CVE-2021-47975
WordPress Plugin WP Learn Manager 1.1.2 Stored XSS - CVE-2021-47957
WordPress Plugin Cookie Law Bar 1.2.1 Stored XSS via clb_bar - CVE-2021-47955
CouchCMS 2.2.1 Cross-Site Scripting via SVG File Upload
V. Comments for CVE-2026-45622
No comments yet