VYPR
Vendor

Givanz

Products
2
CVEs
42
Across products
42
Status
Private

Products

2

Recent CVEs

42
View all 42 CVEs →
  • CVE-2026-39918CriApr 20, 2026
    risk 0.57cvss 9.8epss 0.01

    Vvveb prior to 1.0.8.1 contains a code injection vulnerability in the installation endpoint where the subdir POST parameter is written unsanitized into the env.php configuration file without escaping or validation. Attackers can inject arbitrary PHP code by breaking out of the…

  • CVE-2026-6257CriApr 20, 2026
    risk 0.52cvss 9.1epss 0.01

    Vvveb CMS v1.0.8.2 contains a remote code execution vulnerability in its media management functionality where a missing return statement in the file rename handler allows authenticated attackers to rename files to blocked extensions .php or .htaccess. Attackers can exploit this…

  • CVE-2026-45800HigMay 15, 2026
    risk 0.50cvss epss 0.00

    Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, there is an authenticated SQL injection issue in the frontend user order history page in Vvveb CMS. A normal frontend user can log in and access…

  • CVE-2026-41934HigMay 6, 2026
    risk 0.50cvss 8.8epss 0.01

    Vvveb before version 1.0.8.2 contains an authenticated remote code execution vulnerability in the admin code editor that allows low-privilege authenticated users to execute arbitrary code through insufficient file extension restrictions, with the uploaded payload then executable…

  • CVE-2026-6249HigApr 20, 2026
    risk 0.50cvss 8.8epss 0.01

    Vvveb CMS 1.0.8.2 contains a remote code execution vulnerability in its media upload handler that allows authenticated attackers to execute arbitrary operating system commands by uploading a PHP webshell with a .phtml extension. Attackers can bypass the extension deny-list and…

  • CVE-2026-34427HigApr 20, 2026
    risk 0.50cvss 8.8epss 0.01

    Vvveb prior to 1.0.8.1 contains a privilege escalation vulnerability in the admin user profile save endpoint that allows authenticated users to modify privileged fields on their own profile. Attackers can inject role_id=1 into profile save requests to escalate to Super…

  • CVE-2026-46407HigMay 15, 2026
    risk 0.46cvss 8.1epss 0.00

    Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the backend admin/auth-token endpoint allows an authenticated administrator to load another administrator's REST API token list by supplying that user's…

  • CVE-2026-41936HigMay 6, 2026
    risk 0.46cvss 8.1epss 0.00

    Vvveb before version 1.0.8.2 contains an XML external entity (XXE) injection vulnerability in the admin Tools/Import feature that allows authenticated site_admin users to read arbitrary files and modify database records. Attackers can exploit the XML parser configuration in…

  • CVE-2026-34428HigApr 20, 2026
    risk 0.43cvss 7.7epss 0.00

    Vvveb prior to 1.0.8.1 contains a server-side request forgery vulnerability in the oEmbedProxy action of the editor/editor module where the url parameter is passed directly to getUrl() via curl without scheme or destination validation. Authenticated backend users can supply…

  • CVE-2026-46408HigMay 15, 2026
    risk 0.42cvss 7.6epss 0.00

    Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the checkout endpoint accepts a user-controlled cart_id and uses it to enter the payment flow without verifying cart ownership. A logged-in attacker can…

  • CVE-2026-44826HigMay 15, 2026
    risk 0.42cvss 7.5epss 0.00

    Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.2, Vvveb CMS does not validate the sign of the quantity parameter on the cart-add endpoint. Submitting a negative integer is accepted by the server and treated…

  • CVE-2025-9397MedAug 24, 2025
    risk 0.41cvss 6.3epss 0.00

    A weakness has been identified in givanz Vvveb up to 1.0.7.2. Affected is an unknown function of the file /system/traits/media.php. Executing manipulation of the argument files[] can lead to unrestricted upload. The attack can be launched remotely. The exploit has been made…

  • CVE-2025-8517MedAug 4, 2025
    risk 0.41cvss 6.3epss 0.01

    A vulnerability was detected in givanz Vvveb 1.0.6.1. Impacted is an unknown function. The manipulation results in session fixiation. The attack can be launched remotely. The exploit is now public and may be used. Upgrading to version 1.0.7 is recommended to address this issue.…

  • CVE-2026-41937HigMay 14, 2026
    risk 0.40cvss 7.2epss 0.00

    Vvveb before 1.0.8.3 contains an unrestricted file upload vulnerability in the plugin upload endpoint that allows super_admin users to execute arbitrary PHP code by uploading a malicious plugin ZIP file. Attackers can craft a ZIP containing a plugin.php with a valid Slug header…

  • CVE-2026-41935HigMay 14, 2026
    risk 0.39cvss 7.1epss 0.00

    Vvveb before 1.0.8.3 contains an uncontrolled recursion vulnerability in the admin controller dispatch cycle where Base::init() repeatedly invokes permission() on error handlers, causing infinite recursion until PHP memory limits are exhausted. Attackers can send sustained…

  • CVE-2025-12203MedOct 27, 2025
    risk 0.34cvss 6.3epss 0.00

    A weakness has been identified in givanz Vvveb up to 1.0.7.3. This issue affects the function sanitizeFileName of the file system/functions.php of the component Code Editor. Executing a manipulation of the argument File can lead to path traversal. The attack can be launched…

  • CVE-2025-8518MedAug 4, 2025
    risk 0.34cvss 4.7epss 0.01

    A vulnerability was found in givanz Vvveb 1.0.5. It has been rated as critical. Affected by this issue is the function Save of the file admin/controller/editor/code.php of the component Code Editor. The manipulation leads to code injection. The attack may be launched remotely.…

  • CVE-2026-44366MedMay 15, 2026
    risk 0.33cvss 6.1epss 0.00

    Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.1, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Vvveb CMS comment submission flow. The author field is submitted by an unauthenticated user…

  • CVE-2026-41932MedMay 14, 2026
    risk 0.33cvss 6.1epss 0.00

    Vvveb before 1.0.8.3 contains a stored cross-site scripting vulnerability in the customer signup flow where the Signup::addUser() controller copies raw POST username values into the display_name field before sanitization occurs. Attackers can submit HTML and script markup in the…

  • CVE-2026-41929MedMay 7, 2026
    risk 0.33cvss 6.1epss 0.00

    Vvveb before 1.0.8.2 contains an unauthenticated reflected cross-site scripting vulnerability in the visual editor preview renderer that allows attackers to execute arbitrary JavaScript by manipulating the r query parameter and _component_ajax POST parameter. Attackers can craft…