PT-2026-40941 · Givanz+1 · Vvveb

Basant Kumar

+1

·

Published

2026-05-14

·

Updated

2026-05-14

·

CVE-2026-41932

CVSS v3.1

6.1

Medium

VectorAV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions Vvveb versions prior to 1.0.8.3
Description A stored cross-site scripting issue exists in the customer signup flow. The Signup::addUser() controller copies raw POST username values into the display name field before sanitization. This allows attackers to submit HTML and script markup in the username field during signup; while the markup is stripped from the username column, it is persisted in the display name column. The script executes when the display name is rendered without encoding in vulnerable views.
Recommendations Update Vvveb to version 1.0.8.3 or later.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-41932

Affected Products

Vvveb