CVE-2026-44366 MEDIUM

CVE-2026-44366: Vvveb: Stored XSS via Comment Author Field

Vendor Givanz
Product Vvveb
Weakness CWE-79 · XSS
Published May 15, 2026
Last update May 16, 2026
View on NVD All CVEs

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.1, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Vvveb CMS comment submission flow. The author field is submitted by an unauthenticated user on any public post page, stored without sanitization, and later rendered unsanitized in two distinct sinks: This vulnerability is fixed in 1.0.8.1.

Key dates

02Disclosure timeline

May 15, 2026 CVE published
May 16, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-42750 WordPress WPComplete plugin <= 2.9.5.4 - Cross Site Scripting (XSS) vulnerability CVE-2025-22808 WordPress Surbma | Premium WP plugin <= 9.0 - Cross Site Scripting (XSS) vulnerability CVE-2022-20667 Cisco Common Services Platform Collector Cross-Site Scripting Vulnerabilities CVE-2021-24751 GenerateBlocks < 1.4.0 - Contributor+ Stored Cross-Site Scripting CVE-2024-11763 Plezi <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting