CVE-2026-45616
Description
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, This vulnerability is fixed in 1.0.8.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Vvveb CMS post content allows Editors to execute JavaScript when privileged users edit the post, enabling privilege escalation.
Vulnerability
Vvveb CMS prior to version 1.0.8.3 contains a stored cross-site scripting (XSS) vulnerability in the post content field. The application fails to sanitize HTML event-handler attributes, allowing users with the Editor role to inject malicious payloads such as > into post content. [1]
Exploitation
The payload is stored and does not execute during public viewing or browsing in the admin panel. It triggers only when a user with edit permissions (Administrator, Super Admin, or any role with edit_post capability) opens the affected post in the admin editor. This passive attack vector requires no additional interaction beyond the victim's normal editorial workflow, making it a stealthy privilege escalation path. [1]
Impact
Successful exploitation against an Administrator session can lead to session cookie theft, account takeover, creation of backdoor admin accounts, installation of malicious plugins or theme modifications, and data exfiltration. The vulnerability is rated as Moderate severity, with the attack surface limited to users who edit the compromised post. [1]
Mitigation
The issue is fixed in Vvveb version 1.0.8.3. Users are advised to upgrade immediately. No workarounds are mentioned in the advisory. [1]
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.