CVE-2026-45622

Vulnerability

Overview

CVE-2026-45622 is an unauthenticated reflected cross-site scripting (XSS) vulnerability in Vvveb CMS versions prior to 1.0.8.3. The flaw resides in the public product return form endpoint (/index.php?module=user/return-form&action=save). When a user submits the form with a non-existing order ID, the customer_order_id POST parameter is directly interpolated into the error message Order %s not found! via sprintf() in app/controller/user/return-form.php. This message is then rendered in the frontend template without HTML escaping, allowing attacker-controlled HTML/JavaScript to execute in the submitting user's browser [1].

Exploitation

The attack requires no authentication and can be triggered by any user who visits the public return form. An attacker crafts a malicious payload (e.g., ">) and submits it as the customer_order_id value along with valid form fields. When the order lookup fails, the server reflects the payload into the error message, and the browser executes the injected script. The attack is delivered via a POST request, which may require a CSRF require a CSRF token, but the advisory notes that arbitrary script execution still occurs in the browser context [1].

Impact

Successful exploitation results in arbitrary JavaScript execution in the context of the victim's session on the Vvveb CMS site. This can lead to session hijacking, defacement, or theft of sensitive information displayed on the page. The advisory does not claim does not include direct server compromise or privilege escalation, but the XSS can be used as a stepping stone for further attacks [1].

Mitigation

The vulnerability is fixed in Vvveb CMS version 1.0.8.3. Users should upgrade immediately. No workarounds are documented, but sanitizing the customer_order_id input or escaping output in the template would prevent exploitation [1].