CVE-2026-41929 MEDIUM

CVE-2026-41929: Vvveb < 1.0.8.2 Unauthenticated Reflected XSS via Visual Editor

Vendor Givanz

Product Vvveb

Weakness CWE-79 · XSS

Published May 7, 2026

Last update May 8, 2026

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Vvveb before 1.0.8.2 contains an unauthenticated reflected cross-site scripting vulnerability in the visual editor preview renderer that allows attackers to execute arbitrary JavaScript by manipulating the r query parameter and _component_ajax POST parameter. Attackers can craft a malicious link or auto-submitted form that causes victims to execute attacker-controlled JavaScript in the context of the Vvveb origin, as the gating function isEditor() performs no session, role, or token verification and the view handler injects raw HTML POST body content without sanitization.

Key dates

02Disclosure timeline

May 7, 2026 CVE published

May 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-41929 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

CVE-2026-41929: Vvveb < 1.0.8.2 Unauthenticated Reflected XSS via Visual Editor

01Description

02Disclosure timeline

03References

04Related CVE