CVE-2026-41929

Name of the Vulnerable Software and Affected Versions Vvveb versions prior to 1.0.8.2

Description An unauthenticated reflected cross-site scripting issue exists in the visual editor preview renderer. Attackers can execute arbitrary JavaScript by manipulating the r query parameter and component ajax POST parameter. This occurs because the isEditor() function does not perform session, role, or token verification, and the view handler injects raw HTML POST body content without sanitization. Attackers can use a malicious link or an auto-submitted form to execute controlled JavaScript within the context of the Vvveb origin.

Recommendations Update to version 1.0.8.2 or later.