Medium severity6.1NVD Advisory· Published May 7, 2026· Updated May 8, 2026

CVE-2026-41929

Description

Vvveb before 1.0.8.2 contains an unauthenticated reflected cross-site scripting vulnerability in the visual editor preview renderer that allows attackers to execute arbitrary JavaScript by manipulating the r query parameter and _component_ajax POST parameter. Attackers can craft a malicious link or auto-submitted form that causes victims to execute attacker-controlled JavaScript in the context of the Vvveb origin, as the gating function isEditor() performs no session, role, or token verification and the view handler injects raw HTML POST body content without sanitization.

Affected products

Givanz/Vvvebreferences

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/givanz/Vvveb/commit/54a9e846fb94192f1b31ae81d81d25c874662e6anvd
github.com/givanz/Vvveb/releases/tag/1.0.8.2nvd
github.com/givanz/Vvveb/security/advisories/GHSA-wwmv-4g9g-p48gnvd
www.vulncheck.com/advisories/vvveb-unauthenticated-reflected-xss-via-visual-editornvd

News mentions

No linked articles in our index yet.

cvss	0.397
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000