PT-2026-40941 · Givanz+1 · Vvveb
Basant Kumar
+1
·
Published
2026-05-14
·
Updated
2026-05-14
·
CVE-2026-41932
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Vvveb versions prior to 1.0.8.3
Description
A stored cross-site scripting issue exists in the customer signup flow. The
Signup::addUser() controller copies raw POST username values into the display name field before sanitization. This allows attackers to submit HTML and script markup in the username field during signup; while the markup is stripped from the username column, it is persisted in the display name column. The script executes when the display name is rendered without encoding in vulnerable views.Recommendations
Update Vvveb to version 1.0.8.3 or later.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Vvveb