VYPR
← All advisories
Medium severity6.1NVD Advisory· Published May 15, 2026· Updated May 18, 2026

CVE-2026-44366

CVE-2026-44366

Description

Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.1, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Vvveb CMS comment submission flow. The author field is submitted by an unauthenticated user on any public post page, stored without sanitization, and later rendered unsanitized in two distinct sinks: This vulnerability is fixed in 1.0.8.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in Vvveb CMS prior to 1.0.8.1 via comment author field, exploitable by unauthenticated users on public posts.

A stored cross-site scripting (XSS) vulnerability exists in Vvveb CMS versions prior to 1.0.8.1. The author field submitted during comment creation is not sanitized before storage and is later rendered unsanitized in two distinct sinks [1].

The vulnerability can be exploited by any unauthenticated user on a public post page. By submitting a malicious payload in the author field, the attacker triggers script execution in two contexts: (1) in the admin panel, when an admin clicks the author name link in the comments moderation dashboard, and (2) on the public post page, when any visitor clicks the Reply button on the malicious comment [1].

The impact includes arbitrary JavaScript execution in the context of the victim's browser. In the admin sink, an attacker could potentially steal session cookies or perform actions on behalf of the admin. In the public sink, any visitor clicking Reply is affected, broadening the attack surface significantly [1].

This vulnerability is fixed in Vvveb CMS version 1.0.8.1. Users are advised to update to the latest version immediately [1].

References
  1. Stored XSS via Comment Author Field

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.